formbook | ebdc855d3a59911b5096ed167a66a6f9361c0a367bc9c7664693ef11582d1b1f

General

Target

tmp.exe
Size

744KB
MD5

ea1f082ea4f956a042ec414357eca36f
SHA1

716723f0569d1cb85861a0b29de2a1c169b40108
SHA256

ebdc855d3a59911b5096ed167a66a6f9361c0a367bc9c7664693ef11582d1b1f
SHA512

59a43c69b573daa7f4148b92060ccbe82f666e0bf756b7a1444a0169127004519c7d91214aa8269ac1dc20038d742e1f1e2b47f866ff88695d7ae140449ec9d1
SSDEEP

12288:d7D0L/q+uJOgs/z3i8D+KnIqsW1O7YP5Hd9dpsjp5MeoiaqFd53rD22ryMGCIUBU:NYC+TZm5qc05Fpsjp5MwRZrD

Score

10^/10

formbook cg86 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cg86

Decoy

cerapoxy.net

ultradronexi.com

beshealtahub.shop

showmethetee.com

bixtrack.com

yunosave.site

rtppedro77.com

vxscnb.cfd

joshtalkhindi.com

sarma.dev

valuationauto.com

bankruptcymindebitfaster.store

zingymart.store

w8vip.net

munch-o-las.com

evolvewithsarahcoaching.com

hgygfrr.store

y6732cn.cfd

steancomunnyty.online

huz7r4a6so.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2616-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2828-21-0x0000000002670000-0x00000000026B0000-memory.dmp	formbook
behavioral1/memory/2616-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2608-29-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2608-31-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2616	2224	tmp.exe	30
PID 2616 set thread context of 1192	2616	MSBuild.exe	10
PID 2608 set thread context of 1192	2608	control.exe	10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2616	MSBuild.exe
2616	MSBuild.exe
2828	powershell.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe
2608	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2616	MSBuild.exe
2616	MSBuild.exe
2616	MSBuild.exe
2608	control.exe
2608	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2616	MSBuild.exe
Token: SeDebugPrivilege	2828	powershell.exe
Token: SeDebugPrivilege	2608	control.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2828	2224	tmp.exe	28
PID 2224 wrote to memory of 2828	2224	tmp.exe	28
PID 2224 wrote to memory of 2828	2224	tmp.exe	28
PID 2224 wrote to memory of 2828	2224	tmp.exe	28
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 2224 wrote to memory of 2616	2224	tmp.exe	30
PID 1192 wrote to memory of 2608	1192	Explorer.EXE	31
PID 1192 wrote to memory of 2608	1192	Explorer.EXE	31
PID 1192 wrote to memory of 2608	1192	Explorer.EXE	31
PID 1192 wrote to memory of 2608	1192	Explorer.EXE	31
PID 2608 wrote to memory of 2936	2608	control.exe	32
PID 2608 wrote to memory of 2936	2608	control.exe	32
PID 2608 wrote to memory of 2936	2608	control.exe	32
PID 2608 wrote to memory of 2936	2608	control.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2608
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-25-0x0000000006C30000-0x0000000006D6A000-memory.dmp

Filesize
1.2MB

Download
memory/2224-6-0x0000000007860000-0x00000000078D6000-memory.dmp

Filesize
472KB

Download
memory/2224-1-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-3-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2224-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2224-5-0x0000000000410000-0x0000000000424000-memory.dmp

Filesize
80KB

Download
memory/2224-0-0x00000000010A0000-0x0000000001160000-memory.dmp

Filesize
768KB

Download
memory/2224-13-0x0000000074040000-0x000000007472E000-memory.dmp

Filesize
6.9MB

Download
memory/2224-2-0x0000000007270000-0x00000000072B0000-memory.dmp

Filesize
256KB

Download
memory/2608-29-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2608-28-0x00000000006D0000-0x00000000006EF000-memory.dmp

Filesize
124KB

Download
memory/2608-27-0x00000000006D0000-0x00000000006EF000-memory.dmp

Filesize
124KB

Download
memory/2608-30-0x0000000001F50000-0x0000000002253000-memory.dmp

Filesize
3.0MB

Download
memory/2608-33-0x0000000001CC0000-0x0000000001D53000-memory.dmp

Filesize
588KB

Download
memory/2608-31-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2616-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-20-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/2616-16-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/2616-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-11-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2616-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2616-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2828-19-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-26-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-23-0x0000000074070000-0x000000007461B000-memory.dmp

Filesize
5.7MB

Download
memory/2828-22-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2828-21-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download
memory/2828-18-0x0000000002670000-0x00000000026B0000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing