formbook | 52cb64f7b741d860bdc00ae7fadaa0d0662763cf49111425e7652712f81cde8f

General

Target

517dda9b379c2b62f6620fa2b8b209e3.exe
Size

483KB
MD5

517dda9b379c2b62f6620fa2b8b209e3
SHA1

a3ed0cb736784b6d3e417e30b901eedd2e87194f
SHA256

52cb64f7b741d860bdc00ae7fadaa0d0662763cf49111425e7652712f81cde8f
SHA512

4ba111b8aa505fe5a144544ec6397a02210a7ecc21ee7dc94d6c2f04eeb5ca58dcc11c057ff06da74e4491c2710fa43723a1dc641088402d90ea1143852d9475
SSDEEP

6144:2IFhuSYWFYgrKsUc3y2WnO1xzcWmZXe2rkwnbo60T21BOcCSrYDEgfje5ig1ef9m:7h8Mz+sv3y2N1xzAZprkmuN/SD5iKefA

Score

10^/10

formbook ow persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ow

Decoy

piavecaffe.com

jlxkqg.men

lifesavingfoundation.net

karadasama.net

michaeltraolach-macsweeney.com

thunderwatches.com

serviciocasawhirlpool.biz

c-cap.online

itparksolution.com

clarityhearingkw.com

wpgrosiri.date

colemarshalcambell.com

webperffest.com

adjusterforirma.info

buildersqq.com

spiritualwisdominindia.com

111222333.net

traditionalarabicdishes.com

hmlifi.com

receive-our-info-heredaily.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/804-24-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/804-29-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/804-34-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1692-40-0x00000000000C0000-0x00000000000EA000-memory.dmp	formbook
behavioral1/memory/1692-47-0x00000000000C0000-0x00000000000EA000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

syscheck.exesyscheck.exe

pid process

1740 syscheck.exe
804 syscheck.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exesyscheck.exe

pid process

2276 cmd.exe
1740 syscheck.exe

pid	process
1740	syscheck.exe
804	syscheck.exe

pid	process
2276	cmd.exe
1740	syscheck.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

syscheck.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2444714103-3190537498-3629098939-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysnet = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot"	syscheck.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

syscheck.exesyscheck.execmd.exe

description	pid	process	target process
PID 1740 set thread context of 804	1740	syscheck.exe	syscheck.exe
PID 804 set thread context of 1200	804	syscheck.exe	Explorer.EXE
PID 804 set thread context of 1200	804	syscheck.exe	Explorer.EXE
PID 1692 set thread context of 1200	1692	cmd.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

syscheck.execmd.exe

pid	process
804	syscheck.exe
804	syscheck.exe
804	syscheck.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe
1692	cmd.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

syscheck.execmd.exe

pid process

804 syscheck.exe
804 syscheck.exe
804 syscheck.exe
804 syscheck.exe
1692 cmd.exe
1692 cmd.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

517dda9b379c2b62f6620fa2b8b209e3.exesyscheck.exesyscheck.execmd.exe

description	pid	process
Token: SeDebugPrivilege	1776	517dda9b379c2b62f6620fa2b8b209e3.exe
Token: SeDebugPrivilege	1740	syscheck.exe
Token: SeDebugPrivilege	804	syscheck.exe
Token: SeDebugPrivilege	1692	cmd.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

517dda9b379c2b62f6620fa2b8b209e3.execmd.exesyscheck.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1776 wrote to memory of 2832	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2832	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2832	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2832	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2276	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2276	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2276	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 1776 wrote to memory of 2276	1776	517dda9b379c2b62f6620fa2b8b209e3.exe	cmd.exe
PID 2276 wrote to memory of 1740	2276	cmd.exe	syscheck.exe
PID 2276 wrote to memory of 1740	2276	cmd.exe	syscheck.exe
PID 2276 wrote to memory of 1740	2276	cmd.exe	syscheck.exe
PID 2276 wrote to memory of 1740	2276	cmd.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1740 wrote to memory of 804	1740	syscheck.exe	syscheck.exe
PID 1200 wrote to memory of 1692	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1692	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1692	1200	Explorer.EXE	cmd.exe
PID 1200 wrote to memory of 1692	1200	Explorer.EXE	cmd.exe
PID 1692 wrote to memory of 1452	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1452	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1452	1692	cmd.exe	cmd.exe
PID 1692 wrote to memory of 1452	1692	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\517dda9b379c2b62f6620fa2b8b209e3.exe
"C:\Users\Admin\AppData\Local\Temp\517dda9b379c2b62f6620fa2b8b209e3.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1776

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\517dda9b379c2b62f6620fa2b8b209e3.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:2832

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:804

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:1452

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\syscheck.exe
Filesize
48KB

MD5
ac868e5e1140a15ad3e4430b5a75f6a4

SHA1
16671a089a2d1ea9a4f9270df3fff01cde6923a1

SHA256
9ae5c1643267a4f485c348d432aa2fb9b53d60b1153711d7fd4add2d1fc3c62c

SHA512
a370f192025d677a117c04a2dda9a73cb403bb999697c2e88b1842ea789ef8cfd5fabaa63639aca7f123a8a3a2971e6974dd5365d5b75b64210c1f998130b9dc

Download Submit
\Users\Admin\AppData\Local\syscheck.exe
Filesize
483KB

MD5
517dda9b379c2b62f6620fa2b8b209e3

SHA1
a3ed0cb736784b6d3e417e30b901eedd2e87194f

SHA256
52cb64f7b741d860bdc00ae7fadaa0d0662763cf49111425e7652712f81cde8f

SHA512
4ba111b8aa505fe5a144544ec6397a02210a7ecc21ee7dc94d6c2f04eeb5ca58dcc11c057ff06da74e4491c2710fa43723a1dc641088402d90ea1143852d9475

Download Submit
memory/804-35-0x0000000000560000-0x0000000000574000-memory.dmp

Filesize
80KB

Download
memory/804-18-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/804-29-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/804-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/804-34-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/804-24-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/804-30-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/804-27-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/804-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1200-31-0x00000000038F0000-0x00000000039F0000-memory.dmp

Filesize
1024KB

Download
memory/1200-42-0x0000000008800000-0x0000000008958000-memory.dmp

Filesize
1.3MB

Download
memory/1200-37-0x0000000004AB0000-0x0000000004B6C000-memory.dmp

Filesize
752KB

Download
memory/1200-32-0x0000000008800000-0x0000000008958000-memory.dmp

Filesize
1.3MB

Download
memory/1200-45-0x0000000004AB0000-0x0000000004B6C000-memory.dmp

Filesize
752KB

Download
memory/1692-38-0x000000004A2B0000-0x000000004A2FC000-memory.dmp

Filesize
304KB

Download
memory/1692-39-0x000000004A2B0000-0x000000004A2FC000-memory.dmp

Filesize
304KB

Download
memory/1692-40-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1692-41-0x0000000001EE0000-0x00000000021E3000-memory.dmp

Filesize
3.0MB

Download
memory/1692-43-0x0000000001DF0000-0x0000000001E83000-memory.dmp

Filesize
588KB

Download
memory/1692-47-0x00000000000C0000-0x00000000000EA000-memory.dmp

Filesize
168KB

Download
memory/1740-15-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-12-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/1740-16-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/1740-14-0x0000000000B50000-0x0000000000B90000-memory.dmp

Filesize
256KB

Download
memory/1740-13-0x0000000000BE0000-0x0000000000C5E000-memory.dmp

Filesize
504KB

Download
memory/1740-26-0x0000000074160000-0x000000007484E000-memory.dmp

Filesize
6.9MB

Download
memory/1776-0-0x0000000000920000-0x000000000099E000-memory.dmp

Filesize
504KB

Download
memory/1776-7-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/1776-1-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1776-3-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/1776-10-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download
memory/1776-2-0x0000000000340000-0x000000000035C000-memory.dmp

Filesize
112KB

Download
memory/1776-4-0x00000000741B0000-0x000000007489E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads