formbook | fdcdd88c8de821d3cbb39bd3d1f64173f5f6b9d1e399db1d57a434081bfa5852

General

Target

SCAN 000090499000045739.IMG.exe
Size

1.1MB
MD5

912b66f6aeee60ff00e90b9d267529b3
SHA1

38cb4ce90e7e19bb42f3fb6d48e69d02db891ec1
SHA256

d5fe9ec3478dfc65a14ded1ca3e9ced361617a085ec6c3da1bd9b9cc0083511f
SHA512

0e58095cbe3a50103e1a76c3918c8c0f55d965df9fc4a2526ec0d8ac5c65ed9161c81c2fa9dfbae93ba5ec925b578bf52632fbc8a39126936912abfad1ddb80b
SSDEEP

24576:3uOZ6wGkB+e9uf8mSiEPQ3h5oPIpYAMYDkX94bMtP9DGfO:SYQ38+Y72O94bu9GO

Score

10^/10

formbook bpnw rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bpnw

Decoy

subsc-music.com

spiffyd01.buzz

link2it.xyz

coenst.site

carltonautomatic.com

argbeauty.co.uk

tenantdfgg.click

mammothbechtelar.com

bekkarblogger.com

rheamoments.com

themagicofbedtime.com

berksbeaconnews.com

1stpagerealestate.com

ammarshoes.com

lv-newlife.com

travelnewsbuzz.com

promo-tv.fun

getfreedownload.online

al-istitmar.info

strataclleanenergy.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/336-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1764-72-0x0000000002430000-0x0000000002470000-memory.dmp	formbook
behavioral1/memory/336-80-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1304-82-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1304-83-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1392 cmd.exe

pid	process
1392	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

SCAN 000090499000045739.IMG.exeSCAN 000090499000045739.IMG.execmd.exe

description	pid	process	target process
PID 1716 set thread context of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 336 set thread context of 1272	336	SCAN 000090499000045739.IMG.exe	Explorer.EXE
PID 1304 set thread context of 1272	1304	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

964 schtasks.exe

pid	process
964	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

powershell.exeSCAN 000090499000045739.IMG.execmd.exe

pid	process
1764	powershell.exe
336	SCAN 000090499000045739.IMG.exe
336	SCAN 000090499000045739.IMG.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe
1304	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

SCAN 000090499000045739.IMG.execmd.exe

pid process

336 SCAN 000090499000045739.IMG.exe
336 SCAN 000090499000045739.IMG.exe
336 SCAN 000090499000045739.IMG.exe
1304 cmd.exe
1304 cmd.exe

pid	process
1272	Explorer.EXE

pid	process
336	SCAN 000090499000045739.IMG.exe
336	SCAN 000090499000045739.IMG.exe
336	SCAN 000090499000045739.IMG.exe
1304	cmd.exe
1304	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exeSCAN 000090499000045739.IMG.execmd.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	336	SCAN 000090499000045739.IMG.exe
Token: SeDebugPrivilege	1304	cmd.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1272 Explorer.EXE
1272 Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

pid	process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

SCAN 000090499000045739.IMG.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1716 wrote to memory of 1764	1716	SCAN 000090499000045739.IMG.exe	powershell.exe
PID 1716 wrote to memory of 1764	1716	SCAN 000090499000045739.IMG.exe	powershell.exe
PID 1716 wrote to memory of 1764	1716	SCAN 000090499000045739.IMG.exe	powershell.exe
PID 1716 wrote to memory of 1764	1716	SCAN 000090499000045739.IMG.exe	powershell.exe
PID 1716 wrote to memory of 964	1716	SCAN 000090499000045739.IMG.exe	schtasks.exe
PID 1716 wrote to memory of 964	1716	SCAN 000090499000045739.IMG.exe	schtasks.exe
PID 1716 wrote to memory of 964	1716	SCAN 000090499000045739.IMG.exe	schtasks.exe
PID 1716 wrote to memory of 964	1716	SCAN 000090499000045739.IMG.exe	schtasks.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1716 wrote to memory of 336	1716	SCAN 000090499000045739.IMG.exe	SCAN 000090499000045739.IMG.exe
PID 1272 wrote to memory of 1304	1272	Explorer.EXE	cmd.exe
PID 1272 wrote to memory of 1304	1272	Explorer.EXE	cmd.exe
PID 1272 wrote to memory of 1304	1272	Explorer.EXE	cmd.exe
PID 1272 wrote to memory of 1304	1272	Explorer.EXE	cmd.exe
PID 1304 wrote to memory of 1392	1304	cmd.exe	cmd.exe
PID 1304 wrote to memory of 1392	1304	cmd.exe	cmd.exe
PID 1304 wrote to memory of 1392	1304	cmd.exe	cmd.exe
PID 1304 wrote to memory of 1392	1304	cmd.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\SCAN 000090499000045739.IMG.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN 000090499000045739.IMG.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\lSKfiPQsNNpnoZ.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1764

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\lSKfiPQsNNpnoZ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp88B1.tmp"
2⤵
- Creates scheduled task(s)
PID:964

C:\Users\Admin\AppData\Local\Temp\SCAN 000090499000045739.IMG.exe
"C:\Users\Admin\AppData\Local\Temp\SCAN 000090499000045739.IMG.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:336

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1304

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\SCAN 000090499000045739.IMG.exe"
3⤵
- Deletes itself
PID:1392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp88B1.tmp
Filesize
1KB

MD5
135bbca92512e389683ca0c17d40178b

SHA1
701c2762796879f31a48d3e9ed7d519ceadc098a

SHA256
a70e3844d3f0cfda034a70186125629a82bb4a94682165eefb01f5ed65b768b7

SHA512
b43507bf1ba7337f638bdbfbb7c71e241f1fe453b36da10b7fca9078ef70fbafa9ad7a2de113493056179650b185b27c14c193e33af70a1c4c9920226789acfe

Download Submit
memory/336-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/336-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-77-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/336-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-76-0x00000000009D0000-0x0000000000CD3000-memory.dmp

Filesize
3.0MB

Download
memory/336-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-89-0x0000000004E50000-0x0000000004FC1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-88-0x0000000004E50000-0x0000000004FC1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-78-0x0000000004B40000-0x0000000004C7F000-memory.dmp

Filesize
1.2MB

Download
memory/1272-91-0x0000000004E50000-0x0000000004FC1000-memory.dmp

Filesize
1.4MB

Download
memory/1272-75-0x00000000026F0000-0x00000000027F0000-memory.dmp

Filesize
1024KB

Download
memory/1304-82-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1304-84-0x0000000001FE0000-0x00000000022E3000-memory.dmp

Filesize
3.0MB

Download
memory/1304-87-0x0000000001D10000-0x0000000001DA3000-memory.dmp

Filesize
588KB

Download
memory/1304-83-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1304-81-0x000000004A660000-0x000000004A6AC000-memory.dmp

Filesize
304KB

Download
memory/1304-79-0x000000004A660000-0x000000004A6AC000-memory.dmp

Filesize
304KB

Download
memory/1716-58-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/1716-59-0x0000000005980000-0x0000000005A2E000-memory.dmp

Filesize
696KB

Download
memory/1716-54-0x0000000000260000-0x000000000037C000-memory.dmp

Filesize
1.1MB

Download
memory/1716-67-0x0000000004CF0000-0x0000000004D28000-memory.dmp

Filesize
224KB

Download
memory/1716-57-0x0000000004370000-0x00000000043B0000-memory.dmp

Filesize
256KB

Download
memory/1716-56-0x0000000000670000-0x0000000000684000-memory.dmp

Filesize
80KB

Download
memory/1716-55-0x0000000004370000-0x00000000043B0000-memory.dmp

Filesize
256KB

Download
memory/1764-74-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download
memory/1764-72-0x0000000002430000-0x0000000002470000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads