formbook | cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca

General

Target

60822680920de27aed07c2352.exe
Size

594KB
MD5

60822680920de27aed07c2352674f05c
SHA1

4d250b0dcf899a48ea668343fef7e724c58fc6a3
SHA256

cbdd01f3d5cf0da163dffcfeb7ac99de37e94c2b3467630dd4b09ac64bd286ca
SHA512

3ff5d5231a7321abc742afb28f713bb2d4486361aa8be33a39b4f3b13700ba40b174aba63bf1c7dc9187aa37a585d815fe0fedf3d3bbaedeffa4f6e7646cf3a4
SSDEEP

12288:QmlBwdW5vk/j4it8ygmgLotNhzT4j2vwvYRTf6/AP1ckphDX:T6dW58/DtMLotr06ovi1ckphr

Score

10^/10

formbook mf6w rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mf6w

Decoy

shiftfailure.com

wjfglobal.com

gongfuteahouse.com

kocaalivilla.com

atlheadshotphoto.com

dppop.com

padokhep.com

localventuremarketing.com

5zh3ang.com

okminisip.com

houseofmanus.com

6339777.com

fabitgood.com

yaboleyuvip9.com

abbia-group.com

tearsofthekingdomrecipes.com

ukpornagency.com

hangar18lab.com

diamond-manpower.com

yourfrancoach.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1972-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1972-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2380-76-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/2380-78-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2996	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1340 set thread context of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1972 set thread context of 1216	1972	60822680920de27aed07c2352.exe	14
PID 2380 set thread context of 1216	2380	NAPSTAT.EXE	14

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1340	60822680920de27aed07c2352.exe
1340	60822680920de27aed07c2352.exe
1972	60822680920de27aed07c2352.exe
1972	60822680920de27aed07c2352.exe
1168	powershell.exe
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1216	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1972	60822680920de27aed07c2352.exe
1972	60822680920de27aed07c2352.exe
1972	60822680920de27aed07c2352.exe
2380	NAPSTAT.EXE
2380	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	1340	60822680920de27aed07c2352.exe
Token: SeDebugPrivilege	1972	60822680920de27aed07c2352.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2380	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 1340 wrote to memory of 1168	1340	60822680920de27aed07c2352.exe	29
PID 1340 wrote to memory of 1168	1340	60822680920de27aed07c2352.exe	29
PID 1340 wrote to memory of 1168	1340	60822680920de27aed07c2352.exe	29
PID 1340 wrote to memory of 1168	1340	60822680920de27aed07c2352.exe	29
PID 1340 wrote to memory of 1976	1340	60822680920de27aed07c2352.exe	31
PID 1340 wrote to memory of 1976	1340	60822680920de27aed07c2352.exe	31
PID 1340 wrote to memory of 1976	1340	60822680920de27aed07c2352.exe	31
PID 1340 wrote to memory of 1976	1340	60822680920de27aed07c2352.exe	31
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1340 wrote to memory of 1972	1340	60822680920de27aed07c2352.exe	32
PID 1216 wrote to memory of 2380	1216	Explorer.EXE	33
PID 1216 wrote to memory of 2380	1216	Explorer.EXE	33
PID 1216 wrote to memory of 2380	1216	Explorer.EXE	33
PID 1216 wrote to memory of 2380	1216	Explorer.EXE	33
PID 2380 wrote to memory of 2996	2380	NAPSTAT.EXE	34
PID 2380 wrote to memory of 2996	2380	NAPSTAT.EXE	34
PID 2380 wrote to memory of 2996	2380	NAPSTAT.EXE	34
PID 2380 wrote to memory of 2996	2380	NAPSTAT.EXE	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1216
- C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe
  "C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1340
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1168
- - C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe
    "C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe"
    3⤵
    PID:1976
- - C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe
    "C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1972
- C:\Windows\SysWOW64\NAPSTAT.EXE
  "C:\Windows\SysWOW64\NAPSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\60822680920de27aed07c2352.exe"
    3⤵
    - Deletes itself
    PID:2996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-69-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1168-72-0x0000000002640000-0x0000000002680000-memory.dmp

Filesize
256KB

Download
memory/1216-85-0x0000000006990000-0x0000000006A85000-memory.dmp

Filesize
980KB

Download
memory/1216-71-0x0000000005100000-0x00000000051B8000-memory.dmp

Filesize
736KB

Download
memory/1216-67-0x0000000003750000-0x0000000003850000-memory.dmp

Filesize
1024KB

Download
memory/1216-81-0x0000000006990000-0x0000000006A85000-memory.dmp

Filesize
980KB

Download
memory/1216-82-0x0000000006990000-0x0000000006A85000-memory.dmp

Filesize
980KB

Download
memory/1340-57-0x0000000004120000-0x0000000004160000-memory.dmp

Filesize
256KB

Download
memory/1340-54-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1340-59-0x0000000004FE0000-0x000000000504E000-memory.dmp

Filesize
440KB

Download
memory/1340-58-0x0000000000700000-0x000000000070C000-memory.dmp

Filesize
48KB

Download
memory/1340-56-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1340-55-0x0000000004120000-0x0000000004160000-memory.dmp

Filesize
256KB

Download
memory/1972-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-68-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/1972-70-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/1972-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1972-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2380-74-0x0000000000E70000-0x0000000000EB6000-memory.dmp

Filesize
280KB

Download
memory/2380-75-0x0000000000E70000-0x0000000000EB6000-memory.dmp

Filesize
280KB

Download
memory/2380-76-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2380-77-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/2380-78-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2380-80-0x0000000000980000-0x0000000000A14000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing