formbook | 6c3654d20a676bf9b7f77546e23bfb3a7d2d23f1d535d0feced966a22ece5d60

General

Target

aa05023887117e6f52dce6ae40dcab9d.exe
Size

272KB
MD5

aa05023887117e6f52dce6ae40dcab9d
SHA1

3f6c3e8cc656a436be4ddbc248432e48dcd8aa0d
SHA256

6c3654d20a676bf9b7f77546e23bfb3a7d2d23f1d535d0feced966a22ece5d60
SHA512

329d06ab016a9413e5320170d1ede46dc50d3a4aea13efc600919858e8100ff3b56b8934f0815a4f3cfed45e7641488f9768b6635c03504ba958194287584362
SSDEEP

6144:BYa6q6/iwjO/07RXNHT0uZ0w+5IoujNbjcgTAgqZ6VOmA+:BYcKji079BV0/IVNbQgMkw+

Score

10^/10

formbook sk29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sk29

Decoy

adobeholidaylego.com

labassecourdecaro.com

whhlbz.net

aikxian.net

myimmigration.net

etribe.info

fercosgru.com

everbrighthouse.com

finepizzavegesack.info

mesuretonradon.com

escopic.art

mapzle.com

panachesports.net

alabamasbesthvac.com

esghf.com

usrisik.com

activseal.com

eventplanningpros.africa

adufyuwefjdfuiwefl.site

kornilt.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1140-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1140-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/984-78-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/984-82-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1080	dfglvpsjkp.exe
1140	dfglvpsjkp.exe

Loads dropped DLL 3 IoCs

pid	Process
1996	aa05023887117e6f52dce6ae40dcab9d.exe
1996	aa05023887117e6f52dce6ae40dcab9d.exe
1080	dfglvpsjkp.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1080 set thread context of 1140	1080	dfglvpsjkp.exe	28
PID 1140 set thread context of 1380	1140	dfglvpsjkp.exe	14
PID 1140 set thread context of 1380	1140	dfglvpsjkp.exe	14
PID 984 set thread context of 1380	984	explorer.exe	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
1140	dfglvpsjkp.exe
1140	dfglvpsjkp.exe
1140	dfglvpsjkp.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe
984	explorer.exe

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1080	dfglvpsjkp.exe
1140	dfglvpsjkp.exe
1140	dfglvpsjkp.exe
1140	dfglvpsjkp.exe
1140	dfglvpsjkp.exe
984	explorer.exe
984	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1140	dfglvpsjkp.exe
Token: SeDebugPrivilege	984	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1996 wrote to memory of 1080	1996	aa05023887117e6f52dce6ae40dcab9d.exe	27
PID 1996 wrote to memory of 1080	1996	aa05023887117e6f52dce6ae40dcab9d.exe	27
PID 1996 wrote to memory of 1080	1996	aa05023887117e6f52dce6ae40dcab9d.exe	27
PID 1996 wrote to memory of 1080	1996	aa05023887117e6f52dce6ae40dcab9d.exe	27
PID 1080 wrote to memory of 1140	1080	dfglvpsjkp.exe	28
PID 1080 wrote to memory of 1140	1080	dfglvpsjkp.exe	28
PID 1080 wrote to memory of 1140	1080	dfglvpsjkp.exe	28
PID 1080 wrote to memory of 1140	1080	dfglvpsjkp.exe	28
PID 1080 wrote to memory of 1140	1080	dfglvpsjkp.exe	28
PID 1380 wrote to memory of 984	1380	Explorer.EXE	29
PID 1380 wrote to memory of 984	1380	Explorer.EXE	29
PID 1380 wrote to memory of 984	1380	Explorer.EXE	29
PID 1380 wrote to memory of 984	1380	Explorer.EXE	29
PID 984 wrote to memory of 912	984	explorer.exe	30
PID 984 wrote to memory of 912	984	explorer.exe	30
PID 984 wrote to memory of 912	984	explorer.exe	30
PID 984 wrote to memory of 912	984	explorer.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\aa05023887117e6f52dce6ae40dcab9d.exe
  "C:\Users\Admin\AppData\Local\Temp\aa05023887117e6f52dce6ae40dcab9d.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1996
- - C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe
    "C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe" C:\Users\Admin\AppData\Local\Temp\ibelj.we
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1080
  - - C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe
      "C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:1140
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:984
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe"
    3⤵
    PID:912

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
C:\Users\Admin\AppData\Local\Temp\ibelj.we

Filesize
6KB

MD5
eaa4627852ed5e2557a6afecf12d0282

SHA1
a8c6aa5457d447cb58663a221201ad67d9cb943a

SHA256
0eedb930b6db484b860aa47779ba6b2b58e6cb32753911ed4876d3c5259fdb84

SHA512
afdd6802387e1af9e877c7db7b3bad3944a2720afa29fdceb19f7149ce2c4650aa665a6a6a16ce2f043faf6a683f66c9938e05365040a9cecfc71608c4cfaebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\jzvcn.zz

Filesize
205KB

MD5
191ae9b68fae3bcb487d6d1da3b96cad

SHA1
4d6ae0a7d3ea88b34c9a468fb37bcfdc7a29c32d

SHA256
74c2ad5bd62c43b8ceecf3d2efc8196189682234041a6e92e53a2aa7f59d4e50

SHA512
61fe2e85382d927ad5e637c5bc92ee00f4ee7c65b3c7585cb230fb9b9bcf9459cda4bb08bee6790df767bf886fb3ca8b93ba0db4f331cea79054bb0dd5be18ae

Download Submit
\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
\Users\Admin\AppData\Local\Temp\dfglvpsjkp.exe

Filesize
74KB

MD5
8658874b9698ae905b5f95069d718a26

SHA1
27c270fd5ea76820c493562d8f7cba5e35854757

SHA256
236717fc22df1f7ee4f8ded993fd44e3b67a04f04e43d8dcfa3bd818525bafe6

SHA512
f9a202575f9f311395ba20fc562f4509a5d69dcb5e4aa838125c2948d9b24068102fb1dc9e0a38d26b8e1622700e5d629a8d4052e5348042ad3559d9edf0daa6

Download Submit
memory/984-77-0x0000000000CA0000-0x0000000000F21000-memory.dmp

Filesize
2.5MB

Download
memory/984-82-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/984-80-0x0000000000A90000-0x0000000000B23000-memory.dmp

Filesize
588KB

Download
memory/984-79-0x0000000002330000-0x0000000002633000-memory.dmp

Filesize
3.0MB

Download
memory/984-78-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/984-75-0x0000000074711000-0x0000000074713000-memory.dmp

Filesize
8KB

Download
memory/1140-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1140-70-0x0000000000380000-0x0000000000394000-memory.dmp

Filesize
80KB

Download
memory/1140-68-0x0000000000330000-0x0000000000344000-memory.dmp

Filesize
80KB

Download
memory/1140-67-0x0000000000730000-0x0000000000A33000-memory.dmp

Filesize
3.0MB

Download
memory/1140-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-71-0x0000000006D60000-0x0000000006F0E000-memory.dmp

Filesize
1.7MB

Download
memory/1380-69-0x0000000004EE0000-0x0000000005011000-memory.dmp

Filesize
1.2MB

Download
memory/1380-81-0x0000000006F10000-0x0000000007093000-memory.dmp

Filesize
1.5MB

Download
memory/1380-83-0x0000000006F10000-0x0000000007093000-memory.dmp

Filesize
1.5MB

Download
memory/1996-54-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing