formbook | 210d5b19dfc3dff919ba6ed4d76d2aa8becc988dabcca66b247d05c51811434b

General

Target

ibm_Centos.exe
Size

346KB
MD5

420a0137eaa22be40636008e05d8005a
SHA1

bc96f51d24069d9b8364121dc4397c88e08cb309
SHA256

210d5b19dfc3dff919ba6ed4d76d2aa8becc988dabcca66b247d05c51811434b
SHA512

e7f9b8380e64cdd4836fdc34efd3417812ab783d300a876693f66cddb4667480122f34ac597f5ea9948180a32cff9a6885ad97f1ea063584c00d9b6f71655796
SSDEEP

6144:vYa6rL0Yr8jMUoy49G6SCP/3S19UvOlJJOa85BE681q6pvojLjVY:vYZDJyDm/3SRJwvBEz7p6tY

Score

10^/10

formbook m42i persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m42i

Decoy

kosporttraining.com

z19zgcn.site

kaka225.click

85471xii.net

iuplqle.xyz

bengtsberg.net

bk2y0rmx.site

hotspudqec.space

dreamshospital.com

studio-glinka.com

garotosdatv1.online

au-t-global.com

0kxm.com

medsuppanam.com

sameypaige.com

osstshirts.com

xkrujqqo.shop

hk2r.top

rakebacksites.com

ledxiu.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2004-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2004-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2004-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/576-77-0x0000000000100000-0x000000000012F000-memory.dmp	formbook
behavioral1/memory/576-79-0x0000000000100000-0x000000000012F000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
824	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1200	ibm_Centos.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3950455397-3229124517-1686476975-1000\Software\Microsoft\Windows\CurrentVersion\Run\pyuuennjss = "C:\\Users\\Admin\\AppData\\Roaming\\xxtdxxhqqmvvfb\\bkgg.exe \"C:\\Users\\Admin\\AppData\\Local\\Temp\\ibm_Centos.exe\""	ibm_Centos.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1200 set thread context of 2004	1200	ibm_Centos.exe	27
PID 2004 set thread context of 1184	2004	ibm_Centos.exe	21
PID 2004 set thread context of 1184	2004	ibm_Centos.exe	21
PID 576 set thread context of 1184	576	cmstp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2004	ibm_Centos.exe
2004	ibm_Centos.exe
2004	ibm_Centos.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe
576	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1184	Explorer.EXE

Suspicious behavior: MapViewOfSection 7 IoCs

pid	Process
1200	ibm_Centos.exe
2004	ibm_Centos.exe
2004	ibm_Centos.exe
2004	ibm_Centos.exe
2004	ibm_Centos.exe
576	cmstp.exe
576	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2004	ibm_Centos.exe
Token: SeDebugPrivilege	576	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1184	Explorer.EXE
1184	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1184	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1200 wrote to memory of 2004	1200	ibm_Centos.exe	27
PID 1200 wrote to memory of 2004	1200	ibm_Centos.exe	27
PID 1200 wrote to memory of 2004	1200	ibm_Centos.exe	27
PID 1200 wrote to memory of 2004	1200	ibm_Centos.exe	27
PID 1200 wrote to memory of 2004	1200	ibm_Centos.exe	27
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 1184 wrote to memory of 576	1184	Explorer.EXE	28
PID 576 wrote to memory of 824	576	cmstp.exe	29
PID 576 wrote to memory of 824	576	cmstp.exe	29
PID 576 wrote to memory of 824	576	cmstp.exe	29
PID 576 wrote to memory of 824	576	cmstp.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1184
- C:\Users\Admin\AppData\Local\Temp\ibm_Centos.exe
  "C:\Users\Admin\AppData\Local\Temp\ibm_Centos.exe"
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\ibm_Centos.exe
    "C:\Users\Admin\AppData\Local\Temp\ibm_Centos.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:576
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\ibm_Centos.exe"
    3⤵
    - Deletes itself
    PID:824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsy4260.tmp\mpgls.dll

Filesize
255KB

MD5
4874e9c95597c552811c664d489739c0

SHA1
109145d468e60a9c1d3b9dbfffbf798bfa4e8e95

SHA256
39cd81d25e703846eb67234b19357736b57f2f4a0f1c4b802f9d0db2c99b3456

SHA512
8add133201607289460f20d74e05a93f49fe54cd3eae6cf11195340ba01354df6275461cb7f5e00b9203e237da3bae3a5ebd89d77030e36b95bd9f3022a99cec

Download Submit
memory/576-74-0x0000000000040000-0x0000000000058000-memory.dmp

Filesize
96KB

Download
memory/576-81-0x0000000000500000-0x0000000000594000-memory.dmp

Filesize
592KB

Download
memory/576-79-0x0000000000100000-0x000000000012F000-memory.dmp

Filesize
188KB

Download
memory/576-78-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/576-77-0x0000000000100000-0x000000000012F000-memory.dmp

Filesize
188KB

Download
memory/576-76-0x0000000000040000-0x0000000000058000-memory.dmp

Filesize
96KB

Download
memory/1184-82-0x0000000004330000-0x00000000043D0000-memory.dmp

Filesize
640KB

Download
memory/1184-71-0x0000000004F50000-0x000000000508B000-memory.dmp

Filesize
1.2MB

Download
memory/1184-68-0x0000000004E00000-0x0000000004F43000-memory.dmp

Filesize
1.3MB

Download
memory/1184-64-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1184-83-0x0000000004330000-0x00000000043D0000-memory.dmp

Filesize
640KB

Download
memory/1184-85-0x000007FEA3370000-0x000007FEA337A000-memory.dmp

Filesize
40KB

Download
memory/1184-86-0x0000000004330000-0x00000000043D0000-memory.dmp

Filesize
640KB

Download
memory/2004-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-70-0x0000000000320000-0x0000000000335000-memory.dmp

Filesize
84KB

Download
memory/2004-67-0x00000000002C0000-0x00000000002D5000-memory.dmp

Filesize
84KB

Download
memory/2004-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2004-65-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/2004-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing