formbook | 38dbb7d9a2c526dcee3f3e75a846223cd505e544f69647cf02394cd41d2503f5

General

Target

d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe
Size

356KB
MD5

89638fe1a25c80932d9e4cb30238e194
SHA1

39e2ba0f53784ba65b1c5c33c7629447944390d0
SHA256

d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031
SHA512

d2c8474b02dbab013bb1924826c27e04e32ac260a58ccc925624c65411628ba252992f9e7fdd931a961b18a75d0cb54289e14a36dda708a4ae7cb2d28719b801
SSDEEP

6144:/Ya6QPTmatecxGcFxZci7zQiJtMCnTiyaaMvJZEFST/WxHNQow:/YePTmat2cFcivxTvktvUS8eP

Score

10^/10

formbook vr21 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr21

Decoy

detrop.ru

bolacash.club

thezoidtv.africa

bigartgallerystudio.com

doshkoljata.ru

gamesdaybuddiessingles.com

zonlin.net

thehilltoplodges.co.uk

fcvip.club

amandacurtinnutrition.com

londonairporttaxies.com

graniteteammates.com

devthanhvo.site

kl-thelabel.com

a1choice.net

amzprod.com

iwaint.com

device-children.com

canada-immigration-72440.com

irsdev.ru

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/460-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/460-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/648-77-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/648-79-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
1656	setacrtv.exe
460	setacrtv.exe

Loads dropped DLL 2 IoCs

pid	Process
1704	d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe
1656	setacrtv.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1656 set thread context of 460	1656	setacrtv.exe	29
PID 460 set thread context of 1344	460	setacrtv.exe	15
PID 648 set thread context of 1344	648	explorer.exe	15

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
460	setacrtv.exe
460	setacrtv.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe
648	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1344	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1656	setacrtv.exe
460	setacrtv.exe
460	setacrtv.exe
460	setacrtv.exe
648	explorer.exe
648	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	460	setacrtv.exe
Token: SeDebugPrivilege	648	explorer.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1344	Explorer.EXE
1344	Explorer.EXE

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 1704 wrote to memory of 1656	1704	d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe	27
PID 1704 wrote to memory of 1656	1704	d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe	27
PID 1704 wrote to memory of 1656	1704	d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe	27
PID 1704 wrote to memory of 1656	1704	d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe	27
PID 1656 wrote to memory of 460	1656	setacrtv.exe	29
PID 1656 wrote to memory of 460	1656	setacrtv.exe	29
PID 1656 wrote to memory of 460	1656	setacrtv.exe	29
PID 1656 wrote to memory of 460	1656	setacrtv.exe	29
PID 1656 wrote to memory of 460	1656	setacrtv.exe	29
PID 1344 wrote to memory of 648	1344	Explorer.EXE	30
PID 1344 wrote to memory of 648	1344	Explorer.EXE	30
PID 1344 wrote to memory of 648	1344	Explorer.EXE	30
PID 1344 wrote to memory of 648	1344	Explorer.EXE	30
PID 648 wrote to memory of 1192	648	explorer.exe	31
PID 648 wrote to memory of 1192	648	explorer.exe	31
PID 648 wrote to memory of 1192	648	explorer.exe	31
PID 648 wrote to memory of 1192	648	explorer.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Users\Admin\AppData\Local\Temp\d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe
  "C:\Users\Admin\AppData\Local\Temp\d67bc9de761645c9aa4b5669cd355f2fecde8b4e9b22f64f327f282754742031.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
    "C:\Users\Admin\AppData\Local\Temp\setacrtv.exe" C:\Users\Admin\AppData\Local\Temp\bjtqn.j
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:1656
  - - C:\Users\Admin\AppData\Local\Temp\setacrtv.exe
      "C:\Users\Admin\AppData\Local\Temp\setacrtv.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      PID:460
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\setacrtv.exe"
    3⤵
    PID:1192

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bjtqn.j

Filesize
5KB

MD5
f88e7b8f410183ebe6d8a93c0c69fac1

SHA1
884dcfdc390ab5c16acf4825e845196689660c13

SHA256
68164f2638aadfe26b24d6d95a2402630f60b9922aa925be8122f8f85afde02f

SHA512
8b515dc62db6ac2c42f86de72fc7f940e40885f16fda4c19c77a5072fad3fb19edcc4cc1eaf05debe9894d221fe84e240c7df8ee1988c1f44134129ad8af00fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\qtbhihuhdo.thc

Filesize
205KB

MD5
1de3b6dbb675773b015c982ca0d6bef3

SHA1
e974f0da17266919737c3920d7a00d68ee933216

SHA256
0c83a2f8962ec4832b276cf006a8fa55fc0f2e7da6a66cb5cc73ab00e3062a15

SHA512
69df2e4715b354a644dbdc8eb61d7bad13c6c56d12754435ee9ae0946c3d7aa2b3faa5259810735080831807a7fd5387efe09b78d109c1c654498025c787be31

Download Submit
C:\Users\Admin\AppData\Local\Temp\setacrtv.exe

Filesize
296KB

MD5
b4f16ffac645f80188483e424f7a441a

SHA1
78daa0412c734d0e3480c7b9e93a4261cd9a2abd

SHA256
0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

SHA512
33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

Download Submit
C:\Users\Admin\AppData\Local\Temp\setacrtv.exe

Filesize
296KB

MD5
b4f16ffac645f80188483e424f7a441a

SHA1
78daa0412c734d0e3480c7b9e93a4261cd9a2abd

SHA256
0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

SHA512
33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

Download Submit
C:\Users\Admin\AppData\Local\Temp\setacrtv.exe

Filesize
296KB

MD5
b4f16ffac645f80188483e424f7a441a

SHA1
78daa0412c734d0e3480c7b9e93a4261cd9a2abd

SHA256
0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

SHA512
33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

Download Submit
\Users\Admin\AppData\Local\Temp\setacrtv.exe

Filesize
296KB

MD5
b4f16ffac645f80188483e424f7a441a

SHA1
78daa0412c734d0e3480c7b9e93a4261cd9a2abd

SHA256
0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

SHA512
33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

Download Submit
\Users\Admin\AppData\Local\Temp\setacrtv.exe

Filesize
296KB

MD5
b4f16ffac645f80188483e424f7a441a

SHA1
78daa0412c734d0e3480c7b9e93a4261cd9a2abd

SHA256
0b32074d192d96a87c40ad5527f2906da427389880a729a0bc6c2e6e874bbbd1

SHA512
33202533d738df65440c87cc70ec0166beaa95da4d8d22b4fbef50c9038e1b64457b39fd0a7a6ca2f2c40c6b2b71dd5c934f45a12bd117f043a721ebd7b6f140

Download Submit
memory/460-70-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/460-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/460-71-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/460-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/648-81-0x0000000000A30000-0x0000000000AC3000-memory.dmp

Filesize
588KB

Download
memory/648-74-0x0000000000EC0000-0x0000000001141000-memory.dmp

Filesize
2.5MB

Download
memory/648-76-0x0000000000EC0000-0x0000000001141000-memory.dmp

Filesize
2.5MB

Download
memory/648-77-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/648-78-0x0000000002550000-0x0000000002853000-memory.dmp

Filesize
3.0MB

Download
memory/648-79-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1344-72-0x0000000007230000-0x0000000007386000-memory.dmp

Filesize
1.3MB

Download
memory/1344-83-0x0000000006670000-0x0000000006783000-memory.dmp

Filesize
1.1MB

Download
memory/1344-84-0x0000000006670000-0x0000000006783000-memory.dmp

Filesize
1.1MB

Download
memory/1344-86-0x0000000006670000-0x0000000006783000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing