formbook | a25247a44c6daf029eae02060c11c9a946d0648f2eedc1a6348822c7c6590af3

General

Target

tmp4xdhc_0k.exe
Size

612KB
MD5

97ab2171b12f2e2b41f65c02f23da953
SHA1

5f8c09681c05ef89b17737eebe9452e522848428
SHA256

a25247a44c6daf029eae02060c11c9a946d0648f2eedc1a6348822c7c6590af3
SHA512

f2f4816d4d7be2cf90ce6310ca1fc4dd02f556d8bad21b9f22e1a8092bea20f9ebd0667dec726cfdb6cb338c61b8a295420f18a07abbbfc10500482b4d6ed2b7
SSDEEP

12288:UjLj//DKqnAoX8EIrdQE0b/QFoOKIrpYZIrDb0kt7OSbSU/:UPb/5n78rWzQSyCSrDb0kt7Hbf/

Score

10^/10

formbook m82 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1780-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1780-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/568-77-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/568-80-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2020 set thread context of 1780	2020	tmp4xdhc_0k.exe	30
PID 1780 set thread context of 1312	1780	RegSvcs.exe	16
PID 568 set thread context of 1312	568	wuapp.exe	16

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2020	tmp4xdhc_0k.exe
1780	RegSvcs.exe
1780	RegSvcs.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe
568	wuapp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1312	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1780	RegSvcs.exe
1780	RegSvcs.exe
1780	RegSvcs.exe
568	wuapp.exe
568	wuapp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2020	tmp4xdhc_0k.exe
Token: SeDebugPrivilege	1780	RegSvcs.exe
Token: SeDebugPrivilege	568	wuapp.exe
Token: SeShutdownPrivilege	1312	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 768	2020	tmp4xdhc_0k.exe	28
PID 2020 wrote to memory of 768	2020	tmp4xdhc_0k.exe	28
PID 2020 wrote to memory of 768	2020	tmp4xdhc_0k.exe	28
PID 2020 wrote to memory of 768	2020	tmp4xdhc_0k.exe	28
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 2020 wrote to memory of 1780	2020	tmp4xdhc_0k.exe	30
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 1312 wrote to memory of 568	1312	Explorer.EXE	31
PID 568 wrote to memory of 1008	568	wuapp.exe	32
PID 568 wrote to memory of 1008	568	wuapp.exe	32
PID 568 wrote to memory of 1008	568	wuapp.exe	32
PID 568 wrote to memory of 1008	568	wuapp.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\tmp4xdhc_0k.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp4xdhc_0k.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2020
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\pWWigddan" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBF1C.tmp"
    3⤵
    - Creates scheduled task(s)
    PID:768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1780
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:568
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
    3⤵
    PID:1008

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpBF1C.tmp

Filesize
1KB

MD5
5940d2250d23924b5a3f7c3eef577535

SHA1
9980583ed2f706b3f181a82f895bbb46b0e01772

SHA256
cc21fd76f09770e660d9db2c09085b32453d3477ec0ee6c393e1c371713d3879

SHA512
0484588601469ca7b6812d63cb0cc2359b04c5b71bf5ad8a5df317e6bfb47920f347aa1ceaa8132655ccc29f01e3c12d8d3b92be247935d0264d30b97cc4d79d

Download Submit
memory/568-81-0x0000000000930000-0x00000000009C4000-memory.dmp

Filesize
592KB

Download
memory/568-80-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/568-78-0x0000000001FC0000-0x00000000022C3000-memory.dmp

Filesize
3.0MB

Download
memory/568-77-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/568-76-0x0000000000BB0000-0x0000000000BBB000-memory.dmp

Filesize
44KB

Download
memory/568-75-0x0000000000BB0000-0x0000000000BBB000-memory.dmp

Filesize
44KB

Download
memory/1312-70-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1312-86-0x0000000006EA0000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-84-0x0000000006EA0000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-82-0x0000000006EA0000-0x0000000006FD0000-memory.dmp

Filesize
1.2MB

Download
memory/1312-74-0x0000000006210000-0x000000000630F000-memory.dmp

Filesize
1020KB

Download
memory/1780-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-72-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/1780-73-0x0000000000260000-0x0000000000275000-memory.dmp

Filesize
84KB

Download
memory/1780-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1780-67-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2020-54-0x0000000001090000-0x0000000001130000-memory.dmp

Filesize
640KB

Download
memory/2020-61-0x0000000004BE0000-0x0000000004C14000-memory.dmp

Filesize
208KB

Download
memory/2020-60-0x0000000007F40000-0x0000000007FC6000-memory.dmp

Filesize
536KB

Download
memory/2020-59-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2020-58-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2020-57-0x000000007EF40000-0x000000007EF50000-memory.dmp

Filesize
64KB

Download
memory/2020-56-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2020-55-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads