formbook | 2a5e63caa90e0386f4de9972913c19cf1f0f33ac5a86e007cbdc84092df12420

General

Target

2338b2d93f5edfcd74f9f3d4d543a667.exe
Size

483KB
MD5

2338b2d93f5edfcd74f9f3d4d543a667
SHA1

21f87eb8272297c0dbc13026d30911d753b7d2b8
SHA256

2a5e63caa90e0386f4de9972913c19cf1f0f33ac5a86e007cbdc84092df12420
SHA512

64bd950047f9fbb4f5544e72316ffcaa63df6dec31c4280f57992c20b04fc7f20f06e359c89e6f1993ae6bc5b9b385a23739f3a3e65fdaa10c28bb59d07cc6a3
SSDEEP

6144:OIFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9b:zh8Mz+sv3y2N1xzAZprkmuN/SD5iKefJ

Score

10^/10

formbook ow persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ow

Decoy

piavecaffe.com

jlxkqg.men

lifesavingfoundation.net

karadasama.net

michaeltraolach-macsweeney.com

thunderwatches.com

serviciocasawhirlpool.biz

c-cap.online

itparksolution.com

clarityhearingkw.com

wpgrosiri.date

colemarshalcambell.com

webperffest.com

adjusterforirma.info

buildersqq.com

spiritualwisdominindia.com

111222333.net

traditionalarabicdishes.com

hmlifi.com

receive-our-info-heredaily.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2868-25-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2868-30-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1860-35-0x00000000000F0000-0x000000000011A000-memory.dmp	formbook
behavioral1/memory/1860-42-0x00000000000F0000-0x000000000011A000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

syscheck.exesyscheck.exe

pid process

2436 syscheck.exe
2868 syscheck.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exesyscheck.exe

pid process

2972 cmd.exe
2436 syscheck.exe

pid	process
2436	syscheck.exe
2868	syscheck.exe

pid	process
2972	cmd.exe
2436	syscheck.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

syscheck.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot"	syscheck.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

syscheck.exesyscheck.execmstp.exe

description	pid	process	target process
PID 2436 set thread context of 2868	2436	syscheck.exe	syscheck.exe
PID 2868 set thread context of 1240	2868	syscheck.exe	Explorer.EXE
PID 1860 set thread context of 1240	1860	cmstp.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

syscheck.execmstp.exe

pid	process
2868	syscheck.exe
2868	syscheck.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe
1860	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

syscheck.execmstp.exe

pid process

2868 syscheck.exe
2868 syscheck.exe
2868 syscheck.exe
1860 cmstp.exe
1860 cmstp.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

2338b2d93f5edfcd74f9f3d4d543a667.exesyscheck.exesyscheck.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe
Token: SeDebugPrivilege	2436	syscheck.exe
Token: SeDebugPrivilege	2868	syscheck.exe
Token: SeDebugPrivilege	1860	cmstp.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

2338b2d93f5edfcd74f9f3d4d543a667.execmd.exesyscheck.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1784 wrote to memory of 2760	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2760	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2760	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2760	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2972	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2972	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2972	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 1784 wrote to memory of 2972	1784	2338b2d93f5edfcd74f9f3d4d543a667.exe	cmd.exe
PID 2972 wrote to memory of 2436	2972	cmd.exe	syscheck.exe
PID 2972 wrote to memory of 2436	2972	cmd.exe	syscheck.exe
PID 2972 wrote to memory of 2436	2972	cmd.exe	syscheck.exe
PID 2972 wrote to memory of 2436	2972	cmd.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 2436 wrote to memory of 2868	2436	syscheck.exe	syscheck.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1240 wrote to memory of 1860	1240	Explorer.EXE	cmstp.exe
PID 1860 wrote to memory of 2004	1860	cmstp.exe	cmd.exe
PID 1860 wrote to memory of 2004	1860	cmstp.exe	cmd.exe
PID 1860 wrote to memory of 2004	1860	cmstp.exe	cmd.exe
PID 1860 wrote to memory of 2004	1860	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1240

C:\Users\Admin\AppData\Local\Temp\2338b2d93f5edfcd74f9f3d4d543a667.exe
"C:\Users\Admin\AppData\Local\Temp\2338b2d93f5edfcd74f9f3d4d543a667.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1784

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\2338b2d93f5edfcd74f9f3d4d543a667.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:2760

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2972

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2436

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2868

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:2004

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\syscheck.exe
Filesize
483KB

MD5
2338b2d93f5edfcd74f9f3d4d543a667

SHA1
21f87eb8272297c0dbc13026d30911d753b7d2b8

SHA256
2a5e63caa90e0386f4de9972913c19cf1f0f33ac5a86e007cbdc84092df12420

SHA512
64bd950047f9fbb4f5544e72316ffcaa63df6dec31c4280f57992c20b04fc7f20f06e359c89e6f1993ae6bc5b9b385a23739f3a3e65fdaa10c28bb59d07cc6a3

Download Submit
memory/1240-32-0x0000000006120000-0x00000000062C5000-memory.dmp

Filesize
1.6MB

Download
memory/1240-40-0x0000000006120000-0x00000000062C5000-memory.dmp

Filesize
1.6MB

Download
memory/1784-0-0x0000000000370000-0x00000000003EE000-memory.dmp

Filesize
504KB

Download
memory/1784-1-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-2-0x0000000000660000-0x000000000067C000-memory.dmp

Filesize
112KB

Download
memory/1784-3-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/1784-6-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1784-7-0x0000000001F30000-0x0000000001F70000-memory.dmp

Filesize
256KB

Download
memory/1784-10-0x0000000073F70000-0x000000007465E000-memory.dmp

Filesize
6.9MB

Download
memory/1860-42-0x00000000000F0000-0x000000000011A000-memory.dmp

Filesize
168KB

Download
memory/1860-33-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

Filesize
96KB

Download
memory/1860-38-0x00000000008B0000-0x0000000000943000-memory.dmp

Filesize
588KB

Download
memory/1860-36-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1860-35-0x00000000000F0000-0x000000000011A000-memory.dmp

Filesize
168KB

Download
memory/1860-34-0x0000000000FA0000-0x0000000000FB8000-memory.dmp

Filesize
96KB

Download
memory/2436-15-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-16-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2436-18-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2436-14-0x0000000004B10000-0x0000000004B50000-memory.dmp

Filesize
256KB

Download
memory/2436-12-0x0000000000F40000-0x0000000000FBE000-memory.dmp

Filesize
504KB

Download
memory/2436-27-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2436-13-0x0000000073880000-0x0000000073F6E000-memory.dmp

Filesize
6.9MB

Download
memory/2868-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-30-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-31-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/2868-28-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/2868-25-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2868-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2868-21-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads