formbook | 6d8cd5b437db834821da59ec82032cb88c459cb614382e4125c208f42c35a7bd

General

Target

payment.exe
Size

896KB
MD5

b7d660d51a724b8878d766a1fa0e11bf
SHA1

bb634ce4d27ff2da2e0aa84fc69a113f9b1a2da5
SHA256

6d8cd5b437db834821da59ec82032cb88c459cb614382e4125c208f42c35a7bd
SHA512

9f56fd4f9b42c69da6f49926be00118ff6396c2a5589ad6b70141b91efdbf30a19b2d75d4aff3779f73398df80f485f0197952b82fafc77def01da821c03f1fb
SSDEEP

12288:w2iNfUFotEvZ41YJsWKf4G5rNT2m4B8mHGiTJ+A2K4LbBm+vFhEVBZ5iEu3I:w1Bs0qZ4aeWKR5rNTi8mmiTA8B/u4

Score

10^/10

formbook m82 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/828-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/524-74-0x00000000025E0000-0x0000000002620000-memory.dmp	formbook
behavioral1/memory/828-76-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/828-85-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1136-87-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1136-89-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

payment.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 2024 set thread context of 828	2024	payment.exe	RegSvcs.exe
PID 828 set thread context of 1352	828	RegSvcs.exe	Explorer.EXE
PID 828 set thread context of 1352	828	RegSvcs.exe	Explorer.EXE
PID 1136 set thread context of 1352	1136	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1468 schtasks.exe

pid	process
1468	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

payment.exepowershell.exeRegSvcs.execmd.exe

pid	process
2024	payment.exe
2024	payment.exe
524	powershell.exe
828	RegSvcs.exe
828	RegSvcs.exe
828	RegSvcs.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe
1136	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.execmd.exe

pid process

828 RegSvcs.exe
828 RegSvcs.exe
828 RegSvcs.exe
828 RegSvcs.exe
1136 cmd.exe
1136 cmd.exe

pid	process
1352	Explorer.EXE

pid	process
828	RegSvcs.exe
828	RegSvcs.exe
828	RegSvcs.exe
828	RegSvcs.exe
1136	cmd.exe
1136	cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

payment.exepowershell.exeRegSvcs.execmd.exe

description	pid	process
Token: SeDebugPrivilege	2024	payment.exe
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	828	RegSvcs.exe
Token: SeDebugPrivilege	1136	cmd.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1352 Explorer.EXE
1352 Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

pid	process
1352	Explorer.EXE
1352	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

payment.exeRegSvcs.execmd.exe

description	pid	process	target process
PID 2024 wrote to memory of 524	2024	payment.exe	powershell.exe
PID 2024 wrote to memory of 524	2024	payment.exe	powershell.exe
PID 2024 wrote to memory of 524	2024	payment.exe	powershell.exe
PID 2024 wrote to memory of 524	2024	payment.exe	powershell.exe
PID 2024 wrote to memory of 1468	2024	payment.exe	schtasks.exe
PID 2024 wrote to memory of 1468	2024	payment.exe	schtasks.exe
PID 2024 wrote to memory of 1468	2024	payment.exe	schtasks.exe
PID 2024 wrote to memory of 1468	2024	payment.exe	schtasks.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 2024 wrote to memory of 828	2024	payment.exe	RegSvcs.exe
PID 828 wrote to memory of 1136	828	RegSvcs.exe	cmd.exe
PID 828 wrote to memory of 1136	828	RegSvcs.exe	cmd.exe
PID 828 wrote to memory of 1136	828	RegSvcs.exe	cmd.exe
PID 828 wrote to memory of 1136	828	RegSvcs.exe	cmd.exe
PID 1136 wrote to memory of 1992	1136	cmd.exe	cmd.exe
PID 1136 wrote to memory of 1992	1136	cmd.exe	cmd.exe
PID 1136 wrote to memory of 1992	1136	cmd.exe	cmd.exe
PID 1136 wrote to memory of 1992	1136	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1352

C:\Users\Admin\AppData\Local\Temp\payment.exe
"C:\Users\Admin\AppData\Local\Temp\payment.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\KjYYLsJs.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\KjYYLsJs" /XML "C:\Users\Admin\AppData\Local\Temp\tmp780.tmp"
3⤵
- Creates scheduled task(s)
PID:1468

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:828

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
4⤵
PID:1108

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1136

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
5⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp780.tmp
Filesize
1KB

MD5
58fdc295615da845a133d1c99181d12b

SHA1
6c3cdf212064153d6d8f35374cdc1139b1fcb854

SHA256
7c94be72535346b7fc0c114cfcc6e6f33edce6c56c3109fb35cf50a0cd110f1b

SHA512
6c6a46354b12cc453f1020b3335469537859cdebd914074b666a3f326a0bbbaf95edae9b05f7f2e0b0bd80ea2bf562c9d3dd93c963c03796f6db4b99c7763ceb

Download Submit
memory/524-77-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/524-78-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/524-74-0x00000000025E0000-0x0000000002620000-memory.dmp

Filesize
256KB

Download
memory/828-85-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-79-0x00000000002E0000-0x00000000002F5000-memory.dmp

Filesize
84KB

Download
memory/828-82-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/828-76-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-70-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/828-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-73-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1136-87-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1136-90-0x0000000001C80000-0x0000000001D14000-memory.dmp

Filesize
592KB

Download
memory/1136-89-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1136-88-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/1136-84-0x000000004AC80000-0x000000004ACCC000-memory.dmp

Filesize
304KB

Download
memory/1136-86-0x000000004AC80000-0x000000004ACCC000-memory.dmp

Filesize
304KB

Download
memory/1352-96-0x0000000004C80000-0x0000000004D7F000-memory.dmp

Filesize
1020KB

Download
memory/1352-94-0x0000000004C80000-0x0000000004D7F000-memory.dmp

Filesize
1020KB

Download
memory/1352-93-0x0000000004C80000-0x0000000004D7F000-memory.dmp

Filesize
1020KB

Download
memory/1352-80-0x00000000049C0000-0x0000000004AA3000-memory.dmp

Filesize
908KB

Download
memory/1352-83-0x0000000007200000-0x0000000007389000-memory.dmp

Filesize
1.5MB

Download
memory/2024-59-0x0000000005DB0000-0x0000000005E20000-memory.dmp

Filesize
448KB

Download
memory/2024-54-0x0000000000170000-0x0000000000256000-memory.dmp

Filesize
920KB

Download
memory/2024-58-0x0000000000540000-0x000000000054A000-memory.dmp

Filesize
40KB

Download
memory/2024-57-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2024-55-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2024-56-0x0000000000530000-0x000000000053E000-memory.dmp

Filesize
56KB

Download
memory/2024-65-0x0000000004D50000-0x0000000004D88000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads