formbook | e40c5bfeba2c0e7654c3d37aed277b635cfdcd8b2ca132a0b539845593b28629

General

Target

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
Size

749KB
MD5

6561c71692329e5c4b10948e273ac496
SHA1

f01d729fbd8934730fd7531fa00649089e531616
SHA256

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
SHA512

73fe44ecf169bf6b35b7b3732caf201a6d949739cd5b627137f63dfef68e20ee9132def26672ecd9689a636d269a3e14853b6d771312c764ef23b2a05f762fa5
SSDEEP

12288:i97mYMUnFW/N5b9hsF+U5u0RX4up4Aev8lZLse1bdHnL+2CzomKsciaicxJnj:i97UrIF+UloE4AevUZhniZzL2iKv

Score

10^/10

formbook jr22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/364-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process	target process
PID 908 set thread context of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

824 schtasks.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

powershell.exepowershell.exe2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

pid process

1964 powershell.exe
568 powershell.exe
364 2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1964 powershell.exe
Token: SeDebugPrivilege 568 powershell.exe

pid	process
824	schtasks.exe

pid	process
1964	powershell.exe
568	powershell.exe
364	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process	target process
PID 908 wrote to memory of 568	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 568	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 568	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 568	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 1964	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 1964	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 1964	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 1964	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 908 wrote to memory of 824	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 908 wrote to memory of 824	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 908 wrote to memory of 824	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 908 wrote to memory of 824	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 908 wrote to memory of 364	908	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mcTvsw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1964

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mcTvsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp"
2⤵
- Creates scheduled task(s)
PID:824

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:364

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpEC14.tmp

Filesize
1KB

MD5
08ca3f884ba2623e03ad54b9b73c63c2

SHA1
308f433aa75a9ba689178a3413f538aa2169d159

SHA256
a9a1e9b9526d25db3a178776df2a4cd570027a12861ac36fd7b7d82e51f93ea0

SHA512
79b6d96d2b62f3862be02e0ef73220b37efd0181acb4e0ac6ea64ace0896709f0a052a27b5f05595e0f2e902e55d225d9dd253d6e2ef113c8edd674d2f20718a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\T5ZMDY1UI0R7MH1ANXVZ.temp

Filesize
7KB

MD5
ce08c6954497d37dfe616c7228e3ed97

SHA1
fd7c905c11e2d62dddba4ac44a3c1222474f2d8f

SHA256
3e1a0cf1e2844476b63fad0c97ad996218e422f0d232f3ba55451bd6db12a5a2

SHA512
870a22fb6e937ecdac9694e1ab6f8210e8376b2b5500b0c0ff2eb2e224273009f4907d9efeebc3eeba615bf58f27c919f34e187437b4f4dbad104aed794b2be5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ce08c6954497d37dfe616c7228e3ed97

SHA1
fd7c905c11e2d62dddba4ac44a3c1222474f2d8f

SHA256
3e1a0cf1e2844476b63fad0c97ad996218e422f0d232f3ba55451bd6db12a5a2

SHA512
870a22fb6e937ecdac9694e1ab6f8210e8376b2b5500b0c0ff2eb2e224273009f4907d9efeebc3eeba615bf58f27c919f34e187437b4f4dbad104aed794b2be5

Download Submit
memory/364-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/364-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/364-74-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/364-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/364-77-0x00000000009B0000-0x0000000000CB3000-memory.dmp

Filesize
3.0MB

Download
memory/908-58-0x00000000057D0000-0x0000000005880000-memory.dmp

Filesize
704KB

Download
memory/908-57-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/908-56-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/908-55-0x0000000000630000-0x0000000000670000-memory.dmp

Filesize
256KB

Download
memory/908-71-0x0000000004380000-0x00000000043B8000-memory.dmp

Filesize
224KB

Download
memory/908-54-0x00000000001A0000-0x0000000000260000-memory.dmp

Filesize
768KB

Download
memory/1964-76-0x00000000024A0000-0x00000000024E0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads