formbook | e40c5bfeba2c0e7654c3d37aed277b635cfdcd8b2ca132a0b539845593b28629

General

Target

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
Size

749KB
MD5

6561c71692329e5c4b10948e273ac496
SHA1

f01d729fbd8934730fd7531fa00649089e531616
SHA256

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732
SHA512

73fe44ecf169bf6b35b7b3732caf201a6d949739cd5b627137f63dfef68e20ee9132def26672ecd9689a636d269a3e14853b6d771312c764ef23b2a05f762fa5
SSDEEP

12288:i97mYMUnFW/N5b9hsF+U5u0RX4up4Aev8lZLse1bdHnL+2CzomKsciaicxJnj:i97UrIF+UloE4AevUZhniZzL2iKv

Score

10^/10

formbook jr22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2508-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process	target process
PID 3728 set thread context of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3652 schtasks.exe

pid	process
3652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

powershell.exepowershell.exe2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

pid	process
2120	powershell.exe
2120	powershell.exe
3688	powershell.exe
3688	powershell.exe
2508	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
2508	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
3688	powershell.exe
2120	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3688 powershell.exe
Token: SeDebugPrivilege 2120 powershell.exe

description	pid	process
Token: SeDebugPrivilege	3688	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

description	pid	process	target process
PID 3728 wrote to memory of 2120	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 3728 wrote to memory of 2120	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 3728 wrote to memory of 2120	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 3728 wrote to memory of 3688	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 3728 wrote to memory of 3688	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 3728 wrote to memory of 3688	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	powershell.exe
PID 3728 wrote to memory of 3652	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 3728 wrote to memory of 3652	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 3728 wrote to memory of 3652	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	schtasks.exe
PID 3728 wrote to memory of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 3728 wrote to memory of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 3728 wrote to memory of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 3728 wrote to memory of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 3728 wrote to memory of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
PID 3728 wrote to memory of 2508	3728	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe	2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3728

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mcTvsw.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mcTvsw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3DF3.tmp"
2⤵
- Creates scheduled task(s)
PID:3652

C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe
"C:\Users\Admin\AppData\Local\Temp\2ee6aac96667a49df963edc8384038b0859d689ab4377e74ac7f45086010c732.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
2c1359bbc37ea99741c6d6cf085b7c89

SHA1
55d2eebb7ccf47e08b3a1ea114469c904bb77d4f

SHA256
071c0c7d191f10449eb959092b3c44f476305a4f0b77f633a9c7e9e9f80c7333

SHA512
827fe633f05efff6efeb64b12d7e0a81438807bf4af091a7e059a9afec6a352045e4c0695f6ac6e3b1b8cba767769ceee533c50a71f461734084d03eaaa931cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0tzboqgk.qzj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3DF3.tmp

Filesize
1KB

MD5
25e51dc07d7ecc5f67d8d20868593c7e

SHA1
84cc3a4946ef726ece15278926e95d8b6686c824

SHA256
fa1c980d5eddfa698fb505ffb1f597140fc534a67dbbb9c2bbceb0179ad757f9

SHA512
49a8d20f6df6e6af1a13e4c6af7f47f0e3bd7483c453410f3b0e5a09dd9869f7e213286d66c50f51b4eee3583ea757cc5402608832b1a46a18c9601e9f5dbc11

Download Submit
memory/2120-200-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2120-205-0x0000000007A40000-0x0000000007A4E000-memory.dmp

Filesize
56KB

Download
memory/2120-206-0x0000000007B50000-0x0000000007B6A000-memory.dmp

Filesize
104KB

Download
memory/2120-144-0x0000000002BF0000-0x0000000002C26000-memory.dmp

Filesize
216KB

Download
memory/2120-145-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2120-146-0x0000000002BE0000-0x0000000002BF0000-memory.dmp

Filesize
64KB

Download
memory/2120-147-0x0000000005780000-0x0000000005DA8000-memory.dmp

Filesize
6.2MB

Download
memory/2120-175-0x0000000006500000-0x000000000651E000-memory.dmp

Filesize
120KB

Download
memory/2120-177-0x0000000071630000-0x000000007167C000-memory.dmp

Filesize
304KB

Download
memory/2120-204-0x0000000007A90000-0x0000000007B26000-memory.dmp

Filesize
600KB

Download
memory/2120-152-0x0000000005E20000-0x0000000005E86000-memory.dmp

Filesize
408KB

Download
memory/2120-202-0x000000007F660000-0x000000007F670000-memory.dmp

Filesize
64KB

Download
memory/2120-199-0x0000000007810000-0x000000000782A000-memory.dmp

Filesize
104KB

Download
memory/2120-188-0x0000000006AA0000-0x0000000006ABE000-memory.dmp

Filesize
120KB

Download
memory/2508-172-0x00000000018C0000-0x0000000001C0A000-memory.dmp

Filesize
3.3MB

Download
memory/2508-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3688-151-0x0000000004A20000-0x0000000004A42000-memory.dmp

Filesize
136KB

Download
memory/3688-203-0x0000000006D60000-0x0000000006D6A000-memory.dmp

Filesize
40KB

Download
memory/3688-176-0x0000000005FC0000-0x0000000005FF2000-memory.dmp

Filesize
200KB

Download
memory/3688-173-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3688-187-0x0000000071630000-0x000000007167C000-memory.dmp

Filesize
304KB

Download
memory/3688-174-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3688-198-0x0000000007340000-0x00000000079BA000-memory.dmp

Filesize
6.5MB

Download
memory/3688-207-0x0000000007010000-0x0000000007018000-memory.dmp

Filesize
32KB

Download
memory/3688-153-0x00000000053B0000-0x0000000005416000-memory.dmp

Filesize
408KB

Download
memory/3688-201-0x0000000002370000-0x0000000002380000-memory.dmp

Filesize
64KB

Download
memory/3728-136-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3728-138-0x0000000005140000-0x0000000005150000-memory.dmp

Filesize
64KB

Download
memory/3728-137-0x0000000005310000-0x000000000531A000-memory.dmp

Filesize
40KB

Download
memory/3728-139-0x0000000006A30000-0x0000000006ACC000-memory.dmp

Filesize
624KB

Download
memory/3728-133-0x00000000006F0000-0x00000000007B0000-memory.dmp

Filesize
768KB

Download
memory/3728-135-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/3728-134-0x0000000005640000-0x0000000005BE4000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads