formbook | fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
22-03-2023 19:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
Size

800KB
MD5

f012f4e4f4bc3d5989ec7e74574567d9
SHA1

c130806d7f968656825c6357a01b9809bd586637
SHA256

fcc1683097894f7f965dcbb2abcd28e98f4ab15e925ceaa75ae35bcf0c88f372
SHA512

67496a7eac21bcb95621734c38ac906f657fce34598b7d7e31524a06d6633059fdedb9e29c07d0c81298a6b0b86fdd7219a0b862111984eba9e992b06fac3d45
SSDEEP

24576:FZHsZLj9epRclsNQ5Vzd1LWOqNt/w4Qz2Dw:FhsZLBepRclLHLOxw4W20

Score

10^/10

formbook jr22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr22

Decoy

941zhe.com

lunarportal.space

xn--osmaniyeiek-t9ab.online

trejoscar.com

nrnursery.com

quizcannot.cfd

seedstockersthailand.com

watsonwindow.com

wjfholdings.com

weziclondon.com

naruot.xyz

yeji.plus

classicmenstore.com

oharatravel.com

therapyplankits.com

keviegreshonpt.com

qdlyner.com

seithupaarungal.com

casinorates.online

8ug4as.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4412-150-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4412-176-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3952-212-0x00000000008E0000-0x000000000090F000-memory.dmp	formbook
behavioral2/memory/3952-222-0x00000000008E0000-0x000000000090F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exeElektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.execmstp.exe

description	pid	process	target process
PID 4564 set thread context of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 4412 set thread context of 3108	4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Explorer.EXE
PID 3952 set thread context of 3108	3952	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5116 schtasks.exe

pid	process
5116	schtasks.exe

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

powershell.exepowershell.exeElektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.execmstp.exe

pid	process
2756	powershell.exe
5004	powershell.exe
2756	powershell.exe
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
5004	powershell.exe
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe
3952	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3108 Explorer.EXE

pid	process
3108	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.execmstp.exe

pid	process
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
3952	cmstp.exe
3952	cmstp.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

powershell.exepowershell.exeElektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.execmstp.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	4412	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
Token: SeDebugPrivilege	3952	cmstp.exe
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE
Token: SeShutdownPrivilege	3108	Explorer.EXE
Token: SeCreatePagefilePrivilege	3108	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4564 wrote to memory of 5004	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 4564 wrote to memory of 5004	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 4564 wrote to memory of 5004	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 4564 wrote to memory of 2756	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 4564 wrote to memory of 2756	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 4564 wrote to memory of 2756	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	powershell.exe
PID 4564 wrote to memory of 5116	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 4564 wrote to memory of 5116	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 4564 wrote to memory of 5116	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	schtasks.exe
PID 4564 wrote to memory of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 4564 wrote to memory of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 4564 wrote to memory of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 4564 wrote to memory of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 4564 wrote to memory of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 4564 wrote to memory of 4412	4564	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe	Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
PID 3108 wrote to memory of 3952	3108	Explorer.EXE	cmstp.exe
PID 3108 wrote to memory of 3952	3108	Explorer.EXE	cmstp.exe
PID 3108 wrote to memory of 3952	3108	Explorer.EXE	cmstp.exe
PID 3952 wrote to memory of 4944	3952	cmstp.exe	cmd.exe
PID 3952 wrote to memory of 4944	3952	cmstp.exe	cmd.exe
PID 3952 wrote to memory of 4944	3952	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
  "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4564
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:5004
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\GfOJSw.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\GfOJSw" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:5116
- - C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe
    "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4412
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3952
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Elektronik Odeme Bilgileri Swift mesaji makbuzu 20230322_8755450T.exe"
    3⤵
    PID:4944

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
968cb9309758126772781b83adb8a28f

SHA1
8da30e71accf186b2ba11da1797cf67f8f78b47c

SHA256
92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

SHA512
4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
18KB

MD5
7bfc35d049209a5cec95c907beb751b8

SHA1
253318869bd2966f64976aece4fb4efee31a7812

SHA256
7d2566afdc93da98fd1deadde72c66b3e6883b0376fe60095783a66d7772de69

SHA512
ed19cfc441be59f4e298fc42188e61d3345821ea522b1d6bf6d0d76c87c63e2b7e461aaf4e2b821664ce59fa0a4758cb95396c12250b80a15a175b07fba11e4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_edn5jw2z.ino.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6A43.tmp

Filesize
1KB

MD5
7487412764d1433889901fd16068317f

SHA1
aa66f58d28fe9078c6c3752a0e12ded4ae211ca5

SHA256
f751c1225477681f0c26d269215ffe5a548e97a4878c265a73427e85179bc645

SHA512
6e42ee11ba6bbe8bcc805392485d3c760c9d54da48544b77d1c0e925fba9a61e65b3afad66decfea5155fd67331eb0d30956a6b1417bce7cdf19db08dc3bc925

Download Submit
memory/2756-148-0x0000000005400000-0x0000000005466000-memory.dmp

Filesize
408KB

Download
memory/2756-182-0x0000000006900000-0x0000000006932000-memory.dmp

Filesize
200KB

Download
memory/2756-214-0x0000000007990000-0x00000000079AA000-memory.dmp

Filesize
104KB

Download
memory/2756-213-0x0000000007880000-0x000000000788E000-memory.dmp

Filesize
56KB

Download
memory/2756-207-0x000000007F410000-0x000000007F420000-memory.dmp

Filesize
64KB

Download
memory/2756-180-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/2756-174-0x0000000006330000-0x000000000634E000-memory.dmp

Filesize
120KB

Download
memory/2756-149-0x0000000005B60000-0x0000000005BC6000-memory.dmp

Filesize
408KB

Download
memory/2756-206-0x00000000076C0000-0x00000000076CA000-memory.dmp

Filesize
40KB

Download
memory/2756-204-0x0000000007C90000-0x000000000830A000-memory.dmp

Filesize
6.5MB

Download
memory/2756-173-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/2756-158-0x0000000002B90000-0x0000000002BA0000-memory.dmp

Filesize
64KB

Download
memory/2756-189-0x00000000752C0000-0x000000007530C000-memory.dmp

Filesize
304KB

Download
memory/3108-225-0x0000000002D80000-0x0000000002E2D000-memory.dmp

Filesize
692KB

Download
memory/3108-228-0x0000000002D80000-0x0000000002E2D000-memory.dmp

Filesize
692KB

Download
memory/3108-179-0x0000000008480000-0x0000000008599000-memory.dmp

Filesize
1.1MB

Download
memory/3108-226-0x0000000002D80000-0x0000000002E2D000-memory.dmp

Filesize
692KB

Download
memory/3952-211-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/3952-210-0x0000000000CB0000-0x0000000000CC6000-memory.dmp

Filesize
88KB

Download
memory/3952-224-0x00000000026E0000-0x0000000002773000-memory.dmp

Filesize
588KB

Download
memory/3952-222-0x00000000008E0000-0x000000000090F000-memory.dmp

Filesize
188KB

Download
memory/3952-218-0x0000000002A40000-0x0000000002D8A000-memory.dmp

Filesize
3.3MB

Download
memory/3952-212-0x00000000008E0000-0x000000000090F000-memory.dmp

Filesize
188KB

Download
memory/4412-177-0x0000000001090000-0x00000000013DA000-memory.dmp

Filesize
3.3MB

Download
memory/4412-176-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-150-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4412-178-0x0000000000F30000-0x0000000000F44000-memory.dmp

Filesize
80KB

Download
memory/4564-138-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4564-137-0x0000000004D10000-0x0000000004D20000-memory.dmp

Filesize
64KB

Download
memory/4564-134-0x0000000005330000-0x00000000058D4000-memory.dmp

Filesize
5.6MB

Download
memory/4564-135-0x0000000004E20000-0x0000000004EB2000-memory.dmp

Filesize
584KB

Download
memory/4564-136-0x0000000004DA0000-0x0000000004DAA000-memory.dmp

Filesize
40KB

Download
memory/4564-139-0x0000000006690000-0x000000000672C000-memory.dmp

Filesize
624KB

Download
memory/4564-133-0x0000000000310000-0x00000000003DE000-memory.dmp

Filesize
824KB

Download
memory/5004-151-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/5004-144-0x0000000002CB0000-0x0000000002CE6000-memory.dmp

Filesize
216KB

Download
memory/5004-205-0x00000000078F0000-0x000000000790A000-memory.dmp

Filesize
104KB

Download
memory/5004-215-0x0000000007C10000-0x0000000007C18000-memory.dmp

Filesize
32KB

Download
memory/5004-194-0x0000000006B80000-0x0000000006B9E000-memory.dmp

Filesize
120KB

Download
memory/5004-157-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/5004-147-0x0000000005530000-0x0000000005552000-memory.dmp

Filesize
136KB

Download
memory/5004-183-0x00000000752C0000-0x000000007530C000-memory.dmp

Filesize
304KB

Download
memory/5004-181-0x0000000002CF0000-0x0000000002D00000-memory.dmp

Filesize
64KB

Download
memory/5004-209-0x0000000007B70000-0x0000000007C06000-memory.dmp

Filesize
600KB

Download
memory/5004-208-0x000000007EF60000-0x000000007EF70000-memory.dmp

Filesize
64KB

Download
memory/5004-145-0x0000000005910000-0x0000000005F38000-memory.dmp

Filesize
6.2MB

Download