formbook | cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36

General

Target

Inv_7623980.exe
Size

641KB
MD5

f8bb833541c11d6047b83b5139c794ea
SHA1

1f7e9ecf6af1ad967edd59aeb79494b4b0b8fa2f
SHA256

cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36
SHA512

1512de031fb2f8f96b03d66c65fefc5294209eac5ecfdedb76514aa93b17ea3a42edf36b63d8d9c6c2c83940e956fc9995828f94db8d1a4070ce473b10bb9238
SSDEEP

12288:syhuMA80Mgixbs+aZvPrMygTI6iNiP59swToysTNin:syhjA8pxbsHZ4pJiNiPrswzsT

Score

10^/10

formbook m82 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1516-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/924-72-0x0000000002640000-0x0000000002680000-memory.dmp	formbook
behavioral1/memory/1516-78-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1516-82-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/892-85-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/892-87-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Inv_7623980.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 2044 set thread context of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 1516 set thread context of 1248	1516	RegSvcs.exe	Explorer.EXE
PID 1516 set thread context of 1248	1516	RegSvcs.exe	Explorer.EXE
PID 892 set thread context of 1248	892	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

472 schtasks.exe

pid	process
472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Inv_7623980.exepowershell.exeRegSvcs.execmd.exe

pid	process
2044	Inv_7623980.exe
2044	Inv_7623980.exe
924	powershell.exe
1516	RegSvcs.exe
1516	RegSvcs.exe
1516	RegSvcs.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe
892	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execmd.exe

pid process

1516 RegSvcs.exe
1516 RegSvcs.exe
1516 RegSvcs.exe
1516 RegSvcs.exe
892 cmd.exe
892 cmd.exe

pid	process
1248	Explorer.EXE

pid	process
1516	RegSvcs.exe
1516	RegSvcs.exe
1516	RegSvcs.exe
1516	RegSvcs.exe
892	cmd.exe
892	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

Inv_7623980.exepowershell.exeRegSvcs.execmd.exe

description	pid	process
Token: SeDebugPrivilege	2044	Inv_7623980.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	1516	RegSvcs.exe
Token: SeDebugPrivilege	892	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

Inv_7623980.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2044 wrote to memory of 924	2044	Inv_7623980.exe	powershell.exe
PID 2044 wrote to memory of 924	2044	Inv_7623980.exe	powershell.exe
PID 2044 wrote to memory of 924	2044	Inv_7623980.exe	powershell.exe
PID 2044 wrote to memory of 924	2044	Inv_7623980.exe	powershell.exe
PID 2044 wrote to memory of 472	2044	Inv_7623980.exe	schtasks.exe
PID 2044 wrote to memory of 472	2044	Inv_7623980.exe	schtasks.exe
PID 2044 wrote to memory of 472	2044	Inv_7623980.exe	schtasks.exe
PID 2044 wrote to memory of 472	2044	Inv_7623980.exe	schtasks.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 2044 wrote to memory of 1516	2044	Inv_7623980.exe	RegSvcs.exe
PID 1248 wrote to memory of 892	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 892	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 892	1248	Explorer.EXE	cmd.exe
PID 1248 wrote to memory of 892	1248	Explorer.EXE	cmd.exe
PID 892 wrote to memory of 984	892	cmd.exe	cmd.exe
PID 892 wrote to memory of 984	892	cmd.exe	cmd.exe
PID 892 wrote to memory of 984	892	cmd.exe	cmd.exe
PID 892 wrote to memory of 984	892	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248

C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2044

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTlsRQtwWJZBlb.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:924

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTlsRQtwWJZBlb" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp"
3⤵
- Creates scheduled task(s)
PID:472

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1516

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1720

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:984

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpB694.tmp
Filesize
1KB

MD5
5666a8e7d4f2e970fe1f9b011e5e4b93

SHA1
344399ada999667247e9a58550fa0274e8914601

SHA256
6e937311a185abfddf3d1a5dfa208dc6dac8812429e2d3d9aad6e6cbade150f2

SHA512
4be5804efed364e4f3515d75c19906408c889ca0029224e397670e7386c1d3b6bdbb0cd0dc2190d45eadbcccf18431f7a003e772a58ac6c2e4b77d16fe1e340c

Download Submit
memory/892-84-0x000000004A090000-0x000000004A0DC000-memory.dmp

Filesize
304KB

Download
memory/892-85-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/892-83-0x000000004A090000-0x000000004A0DC000-memory.dmp

Filesize
304KB

Download
memory/892-89-0x0000000001DA0000-0x0000000001E34000-memory.dmp

Filesize
592KB

Download
memory/892-87-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/892-86-0x0000000001F10000-0x0000000002213000-memory.dmp

Filesize
3.0MB

Download
memory/924-72-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/924-73-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1248-93-0x0000000006A20000-0x0000000006B5B000-memory.dmp

Filesize
1.2MB

Download
memory/1248-91-0x0000000006A20000-0x0000000006B5B000-memory.dmp

Filesize
1.2MB

Download
memory/1248-77-0x00000000072A0000-0x000000000744B000-memory.dmp

Filesize
1.7MB

Download
memory/1248-90-0x0000000006A20000-0x0000000006B5B000-memory.dmp

Filesize
1.2MB

Download
memory/1248-81-0x0000000007530000-0x00000000076B8000-memory.dmp

Filesize
1.5MB

Download
memory/1248-79-0x00000000039D0000-0x0000000003AD0000-memory.dmp

Filesize
1024KB

Download
memory/1516-75-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1516-82-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-78-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-80-0x00000000001E0000-0x00000000001F5000-memory.dmp

Filesize
84KB

Download
memory/1516-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1516-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1516-76-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/1516-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-54-0x00000000002D0000-0x0000000000376000-memory.dmp

Filesize
664KB

Download
memory/2044-67-0x0000000005170000-0x00000000051A8000-memory.dmp

Filesize
224KB

Download
memory/2044-59-0x00000000051C0000-0x0000000005230000-memory.dmp

Filesize
448KB

Download
memory/2044-58-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/2044-57-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/2044-56-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2044-55-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads