formbook | e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6

General

Target

e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe
Size

814KB
MD5

8fc83cdc44075773ee401f010d2443b0
SHA1

96cd91bb463dcb0f7b56e94bf2cb15d7dc8f63b6
SHA256

220977b28fc847b8a2d7c65d3d19a3859e3e62dc5e19edaf4909965516a91694
SHA512

12a5cf0ee3c995faf09f821e4f4db1bf4f50c5ead57e72bf6e518b38c4d14a020724698e0930ea515ddeb810464ab9c9a616e3c8cd0a7e82ce64ab58a614f597
SSDEEP

12288:mj6mRlmDKClMfkrPEBuGKw3f+s2geR3VJ6wGllh5VelrQTydKp:m2a4KCycrPQIo+aePgDalrQTl

Score

10^/10

formbook kmge rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kmge

Decoy

jia0752d.com

cq0jt.sbs

whimsicalweddingrentals.com

meetsex-here.life

hhe-crv220.com

bedbillionaire.com

soycmo.com

mrawkward.xyz

11ramshornroad.com

motoyonaturals.com

thischicloves.com

gacorbet.pro

ihsanid.com

pancaketurner.com

santanarstore.com

cr3dtv.com

negotools.com

landfillequip.com

sejasuapropriachefe.com

diamant-verkopen.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2808-28-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2808-32-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/636-37-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/636-39-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Drops startup file 3 IoCs

Processes:

e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype.lnk	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

skype.exe

pid process

1188 skype.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1144 cmd.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

pid	process
1188	skype.exe

pid	process
1144	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

skype.exeAddInProcess32.execscript.exe

description	pid	process	target process
PID 1188 set thread context of 2808	1188	skype.exe	AddInProcess32.exe
PID 2808 set thread context of 1196	2808	AddInProcess32.exe	Explorer.EXE
PID 636 set thread context of 1196	636	cscript.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

cscript.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-1268429524-3929314613-1992311491-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	cscript.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2864 PING.EXE
2548 PING.EXE

pid	process
2864	PING.EXE
2548	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exeskype.exeskype.exeAddInProcess32.execscript.exe

pid	process
1944	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe
2428	skype.exe
2428	skype.exe
2428	skype.exe
2428	skype.exe
1188	skype.exe
1188	skype.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

AddInProcess32.execscript.exe

pid process

2808 AddInProcess32.exe
2808 AddInProcess32.exe
2808 AddInProcess32.exe
636 cscript.exe
636 cscript.exe
636 cscript.exe
636 cscript.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe

pid process

1944 e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe

pid	process
2808	AddInProcess32.exe
2808	AddInProcess32.exe
2808	AddInProcess32.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe
636	cscript.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exeskype.exeskype.exeAddInProcess32.execscript.exe

description	pid	process
Token: SeDebugPrivilege	1944	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe
Token: SeDebugPrivilege	2428	skype.exe
Token: SeDebugPrivilege	1188	skype.exe
Token: SeDebugPrivilege	2808	AddInProcess32.exe
Token: SeDebugPrivilege	636	cscript.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exeskype.execmd.exeskype.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1944 wrote to memory of 2428	1944	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe	skype.exe
PID 1944 wrote to memory of 2428	1944	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe	skype.exe
PID 1944 wrote to memory of 2428	1944	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe	skype.exe
PID 1944 wrote to memory of 2428	1944	e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe	skype.exe
PID 2428 wrote to memory of 1144	2428	skype.exe	cmd.exe
PID 2428 wrote to memory of 1144	2428	skype.exe	cmd.exe
PID 2428 wrote to memory of 1144	2428	skype.exe	cmd.exe
PID 2428 wrote to memory of 1144	2428	skype.exe	cmd.exe
PID 1144 wrote to memory of 2864	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2864	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2864	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2864	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2548	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2548	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2548	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 2548	1144	cmd.exe	PING.EXE
PID 1144 wrote to memory of 1188	1144	cmd.exe	skype.exe
PID 1144 wrote to memory of 1188	1144	cmd.exe	skype.exe
PID 1144 wrote to memory of 1188	1144	cmd.exe	skype.exe
PID 1144 wrote to memory of 1188	1144	cmd.exe	skype.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1188 wrote to memory of 2808	1188	skype.exe	AddInProcess32.exe
PID 1196 wrote to memory of 636	1196	Explorer.EXE	cscript.exe
PID 1196 wrote to memory of 636	1196	Explorer.EXE	cscript.exe
PID 1196 wrote to memory of 636	1196	Explorer.EXE	cscript.exe
PID 1196 wrote to memory of 636	1196	Explorer.EXE	cscript.exe
PID 636 wrote to memory of 2116	636	cscript.exe	Firefox.exe
PID 636 wrote to memory of 2116	636	cscript.exe	Firefox.exe
PID 636 wrote to memory of 2116	636	cscript.exe	Firefox.exe
PID 636 wrote to memory of 2116	636	cscript.exe	Firefox.exe
PID 636 wrote to memory of 2116	636	cscript.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe
"C:\Users\Admin\AppData\Local\Temp\e64a5a0e34ecb51c2c40cb84016354e096b7c5bc34f5a841d685e94844644ad6.exe"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1944

C:\Users\Admin\AppData\Local\Temp\skype.exe
"C:\Users\Admin\AppData\Local\Temp\skype.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2428

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 12 > nul && copy "C:\Users\Admin\AppData\Local\Temp\skype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe" && ping 127.0.0.1 -n 12 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1144

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
5⤵
- Runs ping.exe
PID:2864

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 12
5⤵
- Runs ping.exe
PID:2548

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2808

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2116

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Data from Local System

1

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
693KB

MD5
18384cd534a3b4f318c4518add7f0718

SHA1
00d254f79981ef1862ec54c34a8f9f7cd4b71873

SHA256
71579344b5f565c69af7f922a413436faf0f588664eb1c4afa78d4a6ce239810

SHA512
af61e71f9cddc2c750e18ee0e65319a8019b48193912677dda81e265278a276b885170adddcc626e27d64857a9e762f6bab28172e0cf15237b0ecd1895ca6765

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skype.exe
Filesize
814KB

MD5
8fc83cdc44075773ee401f010d2443b0

SHA1
96cd91bb463dcb0f7b56e94bf2cb15d7dc8f63b6

SHA256
220977b28fc847b8a2d7c65d3d19a3859e3e62dc5e19edaf4909965516a91694

SHA512
12a5cf0ee3c995faf09f821e4f4db1bf4f50c5ead57e72bf6e518b38c4d14a020724698e0930ea515ddeb810464ab9c9a616e3c8cd0a7e82ce64ab58a614f597

Download Submit
memory/636-38-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/636-49-0x0000000000640000-0x00000000006D3000-memory.dmp

Filesize
588KB

Download
memory/636-39-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/636-37-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/636-36-0x0000000000770000-0x0000000000792000-memory.dmp

Filesize
136KB

Download
memory/636-35-0x0000000000770000-0x0000000000792000-memory.dmp

Filesize
136KB

Download
memory/636-43-0x0000000000640000-0x00000000006D3000-memory.dmp

Filesize
588KB

Download
memory/1188-16-0x0000000001160000-0x0000000001232000-memory.dmp

Filesize
840KB

Download
memory/1188-17-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-25-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-18-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1188-19-0x00000000006A0000-0x00000000006BA000-memory.dmp

Filesize
104KB

Download
memory/1188-20-0x00000000006C0000-0x00000000006C6000-memory.dmp

Filesize
24KB

Download
memory/1188-21-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1188-29-0x0000000074D20000-0x000000007540E000-memory.dmp

Filesize
6.9MB

Download
memory/1188-27-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1188-26-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1196-34-0x0000000004C20000-0x0000000004D05000-memory.dmp

Filesize
916KB

Download
memory/1196-45-0x0000000004C20000-0x0000000004D05000-memory.dmp

Filesize
916KB

Download
memory/1944-0-0x0000000000890000-0x0000000000962000-memory.dmp

Filesize
840KB

Download
memory/1944-1-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/1944-2-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download
memory/1944-3-0x0000000000510000-0x0000000000554000-memory.dmp

Filesize
272KB

Download
memory/1944-5-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-8-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2428-7-0x0000000000320000-0x0000000000360000-memory.dmp

Filesize
256KB

Download
memory/2428-6-0x0000000074D70000-0x000000007545E000-memory.dmp

Filesize
6.9MB

Download
memory/2808-32-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2808-33-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/2808-30-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2808-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2808-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads