formbook | fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372

General

Target

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
Size

800KB
MD5

f012f4e4f4bc3d5989ec7e74574567d9
SHA1

c130806d7f968656825c6357a01b9809bd586637
SHA256

fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
SHA512

67496a7eac21bcb95621734c38ac906f657fce34598b7d7e31524a06d6633059fdedb9e29c07d0c81298a6b0b86fdd7219a0b862111984eba9e992b06fac3d45
SSDEEP

24576:FZHsZLj9epRclsNQ5Vzd1LWOqNt/w4Qz2Dw:FhsZLBepRclLHLOxw4W20

Score

10^/10

formbook jr22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Extracted

Family

formbook

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2012-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2012-80-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1620-86-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/1620-88-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2004 cmd.exe

pid	process
2004	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exeElektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exehelp.exe

description	pid	process	target process
PID 1632 set thread context of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 2012 set thread context of 1252	2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Explorer.EXE
PID 1620 set thread context of 1252	1620	help.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe

pid	process
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

powershell.exepowershell.exeElektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exehelp.exe

pid	process
588	powershell.exe
268	powershell.exe
2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe
1620	help.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE

pid	process
1252	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exehelp.exe

pid	process
2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
1620	help.exe
1620	help.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exepowershell.exeElektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	588	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	2012	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
Token: SeDebugPrivilege	1620	help.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1632 wrote to memory of 588	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 588	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 588	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 588	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 268	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 1632 wrote to memory of 1696	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 1632 wrote to memory of 1696	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 1632 wrote to memory of 1696	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 1632 wrote to memory of 1696	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1632 wrote to memory of 2012	1632	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 1252 wrote to memory of 1620	1252	Explorer.EXE	help.exe
PID 1252 wrote to memory of 1620	1252	Explorer.EXE	help.exe
PID 1252 wrote to memory of 1620	1252	Explorer.EXE	help.exe
PID 1252 wrote to memory of 1620	1252	Explorer.EXE	help.exe
PID 1620 wrote to memory of 2004	1620	help.exe	cmd.exe
PID 1620 wrote to memory of 2004	1620	help.exe	cmd.exe
PID 1620 wrote to memory of 2004	1620	help.exe	cmd.exe
PID 1620 wrote to memory of 2004	1620	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
  "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:588
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GfOJSw.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GfOJSw" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5D4.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:1696
- - C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
    "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2012
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2000
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1720
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:1052
- C:\Windows\SysWOW64\help.exe
  "C:\Windows\SysWOW64\help.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
    3⤵
    - Deletes itself
    PID:2004

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF5D4.tmp

Filesize
1KB

MD5
04c30214e98be4eef388e684fa85dea0

SHA1
a8ce823463fe758ec3f8efbe065d544e54cfde31

SHA256
5ed1f17247c5745b4225ae661b6b81b0872fc97366524d850802d1681d1c1ad7

SHA512
d951c3ee9b5d8d309564532ac25e56df90065954b39b6479b1f9458590a87eaddd481af018af9b9e746c629c6e080ebc3796001cb8bb4ca5e994e1628a0d8e80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\G1VE5Q9WQS06SR09AOV2.temp

Filesize
7KB

MD5
3d94ddafd366c644d6866d9f7b1d1dd0

SHA1
227bd05c90682698070cb951dbb43aabb14ca8c5

SHA256
a504ffbff1bdff52b9122da3cc7103110ee2749373f55072f8b2dbb9b5ca46e1

SHA512
a489c3e89c905aa988485034f52abf7454bbd288b64a1b3db2a1b55dab7cf689ee3fcc4cebc17f87a75cea1467fd56ac932a864ab39e083caeef7c60a0421ac5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
3d94ddafd366c644d6866d9f7b1d1dd0

SHA1
227bd05c90682698070cb951dbb43aabb14ca8c5

SHA256
a504ffbff1bdff52b9122da3cc7103110ee2749373f55072f8b2dbb9b5ca46e1

SHA512
a489c3e89c905aa988485034f52abf7454bbd288b64a1b3db2a1b55dab7cf689ee3fcc4cebc17f87a75cea1467fd56ac932a864ab39e083caeef7c60a0421ac5

Download Submit
memory/268-79-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/1252-94-0x0000000006D90000-0x0000000006F0B000-memory.dmp

Filesize
1.5MB

Download
memory/1252-83-0x0000000006A70000-0x0000000006BFB000-memory.dmp

Filesize
1.5MB

Download
memory/1252-91-0x0000000006D90000-0x0000000006F0B000-memory.dmp

Filesize
1.5MB

Download
memory/1252-92-0x0000000006D90000-0x0000000006F0B000-memory.dmp

Filesize
1.5MB

Download
memory/1620-88-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1620-90-0x0000000000620000-0x00000000006B3000-memory.dmp

Filesize
588KB

Download
memory/1620-86-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/1620-87-0x0000000000740000-0x0000000000A43000-memory.dmp

Filesize
3.0MB

Download
memory/1620-85-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/1620-84-0x0000000000F70000-0x0000000000F76000-memory.dmp

Filesize
24KB

Download
memory/1632-72-0x00000000051C0000-0x00000000051F8000-memory.dmp

Filesize
224KB

Download
memory/1632-58-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1632-55-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/1632-56-0x0000000000410000-0x000000000042E000-memory.dmp

Filesize
120KB

Download
memory/1632-57-0x0000000004BA0000-0x0000000004BE0000-memory.dmp

Filesize
256KB

Download
memory/1632-54-0x0000000000940000-0x0000000000A0E000-memory.dmp

Filesize
824KB

Download
memory/1632-59-0x0000000005620000-0x00000000056D0000-memory.dmp

Filesize
704KB

Download
memory/2012-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-82-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/2012-81-0x0000000000A10000-0x0000000000D13000-memory.dmp

Filesize
3.0MB

Download
memory/2012-80-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-75-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2012-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2012-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads