formbook | ad613ea8f2d306d287fe42bb1c866457621be85314baa9ceaad0fc4c1a3eb7f7

General

Target

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
Size

749KB
MD5

6561c71692329e5c4b10948e273ac496
SHA1

f01d729fbd8934730fd7531fa00649089e531616
SHA256

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
SHA512

73fe44ecf169bf6b35b7b3732caf201a6d949739cd5b627137f63dfef68e20ee9132def26672ecd9689a636d269a3e14853b6d771312c764ef23b2a05f762fa5
SSDEEP

12288:i97mYMUnFW/N5b9hsF+U5u0RX4up4Aev8lZLse1bdHnL+2CzomKsciaicxJnj:i97UrIF+UloE4AevUZhniZzL2iKv

Score

10^/10

formbook jr22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1664-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1152-77-0x0000000002290000-0x00000000022D0000-memory.dmp	formbook
behavioral1/memory/1152-81-0x0000000002290000-0x00000000022D0000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process	target process
PID 1516 set thread context of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1944 schtasks.exe

pid	process
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exepowershell.exepowershell.exe2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

pid	process
1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
576	powershell.exe
1152	powershell.exe
1664	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1152	powershell.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process	target process
PID 1516 wrote to memory of 576	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 576	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 576	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 576	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 1152	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 1152	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 1152	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 1152	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 1516 wrote to memory of 1944	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 1516 wrote to memory of 1944	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 1516 wrote to memory of 1944	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 1516 wrote to memory of 1944	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 1516 wrote to memory of 1656	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1656	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1656	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1656	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 1516 wrote to memory of 1664	1516	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1516

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:576

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mcTvsw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1152

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mcTvsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC266.tmp"
2⤵
- Creates scheduled task(s)
PID:1944

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
PID:1656

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1664

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpC266.tmp

Filesize
1KB

MD5
4a8aef37e957ccdb9f787fc06a35e09a

SHA1
f6bc7d98dc648668b844db90f3d7029affb741e7

SHA256
e96fe030eb6b08b4de61a121139a609198a6e70bbaafe8152744a90d4f7d3d2e

SHA512
d7ae07a602481a40cc00d5f6009bce48a68436cf94cefc2bdd4966dd715d3a06faf61cdedf55bf30ec9eb4e74f0e5c0ad4faeddc3f6fdfa33f8731770a420157

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3VBPUUTBPW27EQ46H9C9.temp

Filesize
7KB

MD5
9df356c1e296936a300cd137e45c64ab

SHA1
44fd643d2d7a573780d0a13ea8cdd70b7127bd3e

SHA256
daa1df89fa8eaad0f5260509d8af6cc076e99fd319cf15a8e76c0d4c884f86c4

SHA512
9cc28d479be2b0052d6b5818e01c272675c455b99f3d4fa0e4331088232b6574dd47a97ebc2392523e3f5c0450e1d7349585b4d4b94d4f0492f2251804b07424

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9df356c1e296936a300cd137e45c64ab

SHA1
44fd643d2d7a573780d0a13ea8cdd70b7127bd3e

SHA256
daa1df89fa8eaad0f5260509d8af6cc076e99fd319cf15a8e76c0d4c884f86c4

SHA512
9cc28d479be2b0052d6b5818e01c272675c455b99f3d4fa0e4331088232b6574dd47a97ebc2392523e3f5c0450e1d7349585b4d4b94d4f0492f2251804b07424

Download Submit
memory/576-82-0x0000000002460000-0x00000000024A0000-memory.dmp

Filesize
256KB

Download
memory/576-79-0x0000000002460000-0x00000000024A0000-memory.dmp

Filesize
256KB

Download
memory/1152-81-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/1152-78-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/1152-77-0x0000000002290000-0x00000000022D0000-memory.dmp

Filesize
256KB

Download
memory/1516-59-0x00000000056C0000-0x0000000005770000-memory.dmp

Filesize
704KB

Download
memory/1516-72-0x0000000004F50000-0x0000000004F88000-memory.dmp

Filesize
224KB

Download
memory/1516-54-0x00000000000D0000-0x0000000000190000-memory.dmp

Filesize
768KB

Download
memory/1516-58-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1516-57-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1516-56-0x0000000000630000-0x0000000000644000-memory.dmp

Filesize
80KB

Download
memory/1516-55-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/1664-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-80-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads