formbook | cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36

General

Target

Inv_7623980.exe
Size

641KB
MD5

f8bb833541c11d6047b83b5139c794ea
SHA1

1f7e9ecf6af1ad967edd59aeb79494b4b0b8fa2f
SHA256

cfe9062e6bd88ae993c3e8b295386c2e5e9aa7d8b9ceb168f56ccd3e0e5cbe36
SHA512

1512de031fb2f8f96b03d66c65fefc5294209eac5ecfdedb76514aa93b17ea3a42edf36b63d8d9c6c2c83940e956fc9995828f94db8d1a4070ce473b10bb9238
SSDEEP

12288:syhuMA80Mgixbs+aZvPrMygTI6iNiP59swToysTNin:syhjA8pxbsHZ4pJiNiPrswzsT

Score

10^/10

formbook m82 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/880-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/880-165-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4936-187-0x0000000000310000-0x000000000033F000-memory.dmp	formbook
behavioral2/memory/4936-195-0x0000000000310000-0x000000000033F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Inv_7623980.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Control Panel\International\Geo\Nation	Inv_7623980.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Inv_7623980.exeRegSvcs.exeNETSTAT.EXE

description	pid	process	target process
PID 524 set thread context of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 880 set thread context of 3236	880	RegSvcs.exe	Explorer.EXE
PID 4936 set thread context of 3236	4936	NETSTAT.EXE	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2144 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4936 NETSTAT.EXE

pid	process
2144	schtasks.exe

pid	process
4936	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

Inv_7623980.exepowershell.exeRegSvcs.exeNETSTAT.EXE

pid	process
524	Inv_7623980.exe
524	Inv_7623980.exe
3916	powershell.exe
3916	powershell.exe
880	RegSvcs.exe
880	RegSvcs.exe
880	RegSvcs.exe
880	RegSvcs.exe
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE
4936	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3236 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exeNETSTAT.EXE

pid process

880 RegSvcs.exe
880 RegSvcs.exe
880 RegSvcs.exe
4936 NETSTAT.EXE
4936 NETSTAT.EXE

pid	process
3236	Explorer.EXE

pid	process
880	RegSvcs.exe
880	RegSvcs.exe
880	RegSvcs.exe
4936	NETSTAT.EXE
4936	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Inv_7623980.exepowershell.exeRegSvcs.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	524	Inv_7623980.exe
Token: SeDebugPrivilege	3916	powershell.exe
Token: SeDebugPrivilege	880	RegSvcs.exe
Token: SeDebugPrivilege	4936	NETSTAT.EXE
Token: SeShutdownPrivilege	3236	Explorer.EXE
Token: SeCreatePagefilePrivilege	3236	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

Inv_7623980.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 524 wrote to memory of 3916	524	Inv_7623980.exe	powershell.exe
PID 524 wrote to memory of 3916	524	Inv_7623980.exe	powershell.exe
PID 524 wrote to memory of 3916	524	Inv_7623980.exe	powershell.exe
PID 524 wrote to memory of 2144	524	Inv_7623980.exe	schtasks.exe
PID 524 wrote to memory of 2144	524	Inv_7623980.exe	schtasks.exe
PID 524 wrote to memory of 2144	524	Inv_7623980.exe	schtasks.exe
PID 524 wrote to memory of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 524 wrote to memory of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 524 wrote to memory of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 524 wrote to memory of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 524 wrote to memory of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 524 wrote to memory of 880	524	Inv_7623980.exe	RegSvcs.exe
PID 3236 wrote to memory of 4936	3236	Explorer.EXE	NETSTAT.EXE
PID 3236 wrote to memory of 4936	3236	Explorer.EXE	NETSTAT.EXE
PID 3236 wrote to memory of 4936	3236	Explorer.EXE	NETSTAT.EXE
PID 4936 wrote to memory of 4824	4936	NETSTAT.EXE	cmd.exe
PID 4936 wrote to memory of 4824	4936	NETSTAT.EXE	cmd.exe
PID 4936 wrote to memory of 4824	4936	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3236

C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe
"C:\Users\Admin\AppData\Local\Temp\Inv_7623980.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\WTlsRQtwWJZBlb.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3916

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\WTlsRQtwWJZBlb" /XML "C:\Users\Admin\AppData\Local\Temp\tmp31ED.tmp"
3⤵
- Creates scheduled task(s)
PID:2144

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:880

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4936

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kacqtvm0.vqs.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp31ED.tmp
Filesize
1KB

MD5
56db6f05b475e2635ef66863f7bb914f

SHA1
4b0957953a7df39b6a60dc499125aa9d95ac7ece

SHA256
a55d08adae79004284beabcb0750ec7d0bafe2f016ea68d2a929327d5698e1eb

SHA512
7995f635447ef92cf4cbb0749289a421ae6a162c15bd19c9dfb6faa3397f96a3984c599f4f089704862b8c224f6476b913e0d6fa1b6c3b39fb315bc8b3f200e3

Download Submit
memory/524-137-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/524-133-0x0000000000F30000-0x0000000000FD6000-memory.dmp

Filesize
664KB

Download
memory/524-134-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download
memory/524-138-0x0000000005940000-0x0000000005950000-memory.dmp

Filesize
64KB

Download
memory/524-139-0x0000000007600000-0x000000000769C000-memory.dmp

Filesize
624KB

Download
memory/524-136-0x0000000005B30000-0x0000000005B3A000-memory.dmp

Filesize
40KB

Download
memory/524-135-0x0000000005970000-0x0000000005A02000-memory.dmp

Filesize
584KB

Download
memory/880-164-0x0000000001130000-0x000000000147A000-memory.dmp

Filesize
3.3MB

Download
memory/880-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/880-166-0x0000000000C40000-0x0000000000C55000-memory.dmp

Filesize
84KB

Download
memory/880-165-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3236-198-0x0000000008540000-0x00000000086BD000-memory.dmp

Filesize
1.5MB

Download
memory/3236-199-0x0000000008540000-0x00000000086BD000-memory.dmp

Filesize
1.5MB

Download
memory/3236-167-0x0000000008430000-0x0000000008533000-memory.dmp

Filesize
1.0MB

Download
memory/3916-148-0x0000000005CA0000-0x00000000062C8000-memory.dmp

Filesize
6.2MB

Download
memory/3916-191-0x0000000007F80000-0x0000000007F9A000-memory.dmp

Filesize
104KB

Download
memory/3916-157-0x0000000006340000-0x00000000063A6000-memory.dmp

Filesize
408KB

Download
memory/3916-151-0x0000000005C10000-0x0000000005C76000-memory.dmp

Filesize
408KB

Download
memory/3916-150-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/3916-168-0x00000000078E0000-0x0000000007912000-memory.dmp

Filesize
200KB

Download
memory/3916-169-0x00000000719E0000-0x0000000071A2C000-memory.dmp

Filesize
304KB

Download
memory/3916-179-0x0000000006EE0000-0x0000000006EFE000-memory.dmp

Filesize
120KB

Download
memory/3916-180-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3916-181-0x000000007F840000-0x000000007F850000-memory.dmp

Filesize
64KB

Download
memory/3916-182-0x0000000008280000-0x00000000088FA000-memory.dmp

Filesize
6.5MB

Download
memory/3916-183-0x0000000007C40000-0x0000000007C5A000-memory.dmp

Filesize
104KB

Download
memory/3916-184-0x0000000007CB0000-0x0000000007CBA000-memory.dmp

Filesize
40KB

Download
memory/3916-144-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/3916-146-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/3916-192-0x0000000007F60000-0x0000000007F68000-memory.dmp

Filesize
32KB

Download
memory/3916-188-0x0000000007EC0000-0x0000000007F56000-memory.dmp

Filesize
600KB

Download
memory/3916-189-0x0000000007E70000-0x0000000007E7E000-memory.dmp

Filesize
56KB

Download
memory/3916-162-0x0000000006920000-0x000000000693E000-memory.dmp

Filesize
120KB

Download
memory/4936-190-0x0000000000C40000-0x0000000000F8A000-memory.dmp

Filesize
3.3MB

Download
memory/4936-187-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/4936-195-0x0000000000310000-0x000000000033F000-memory.dmp

Filesize
188KB

Download
memory/4936-197-0x0000000000A90000-0x0000000000B24000-memory.dmp

Filesize
592KB

Download
memory/4936-186-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download
memory/4936-185-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads