formbook | 9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6

General

Target

e08cc96789886667def8d2d72520d25f.exe
Size

477KB
MD5

e08cc96789886667def8d2d72520d25f
SHA1

cb7764cbd49da01a6b66553644fb3e84c70669d7
SHA256

9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6
SHA512

7a49c1527307a81a9f6e04b02911bcae1da00d29e5110c76585132db5a657ba35ffa1fa32e6a100a6b7c5ad880b5a9453eb96f3bad527bc076571eb0b918f88f
SSDEEP

6144:SJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhp:SJY1ja4qQ+rcbFudkuN/S/1MSSPQcHKP

Score

10^/10

formbook fr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2248-23-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2248-28-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2248-33-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/2516-39-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook
behavioral1/memory/2516-45-0x0000000000080000-0x00000000000AA000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

Processes:

syscheck.exesyscheck.exe

pid process

336 syscheck.exe
2248 syscheck.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exesyscheck.exe

pid process

392 cmd.exe
336 syscheck.exe

pid	process
336	syscheck.exe
2248	syscheck.exe

pid	process
392	cmd.exe
336	syscheck.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

syscheck.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-406356229-2805545415-1236085040-1000\Software\Microsoft\Windows\CurrentVersion\Run\sysmgr = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot"	syscheck.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

syscheck.exesyscheck.exemsdt.exe

description	pid	process	target process
PID 336 set thread context of 2248	336	syscheck.exe	syscheck.exe
PID 2248 set thread context of 1260	2248	syscheck.exe	Explorer.EXE
PID 2248 set thread context of 1260	2248	syscheck.exe	Explorer.EXE
PID 2516 set thread context of 1260	2516	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

syscheck.exemsdt.exe

pid	process
2248	syscheck.exe
2248	syscheck.exe
2248	syscheck.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe
2516	msdt.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

syscheck.exemsdt.exe

pid process

2248 syscheck.exe
2248 syscheck.exe
2248 syscheck.exe
2248 syscheck.exe
2516 msdt.exe
2516 msdt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

e08cc96789886667def8d2d72520d25f.exesyscheck.exesyscheck.exemsdt.exe

description	pid	process
Token: SeDebugPrivilege	2600	e08cc96789886667def8d2d72520d25f.exe
Token: SeDebugPrivilege	336	syscheck.exe
Token: SeDebugPrivilege	2248	syscheck.exe
Token: SeDebugPrivilege	2516	msdt.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

e08cc96789886667def8d2d72520d25f.execmd.exesyscheck.exesyscheck.exemsdt.exe

description	pid	process	target process
PID 2600 wrote to memory of 2440	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 2440	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 2440	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 2440	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 392	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 392	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 392	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2600 wrote to memory of 392	2600	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 392 wrote to memory of 336	392	cmd.exe	syscheck.exe
PID 392 wrote to memory of 336	392	cmd.exe	syscheck.exe
PID 392 wrote to memory of 336	392	cmd.exe	syscheck.exe
PID 392 wrote to memory of 336	392	cmd.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 336 wrote to memory of 2248	336	syscheck.exe	syscheck.exe
PID 2248 wrote to memory of 2516	2248	syscheck.exe	msdt.exe
PID 2248 wrote to memory of 2516	2248	syscheck.exe	msdt.exe
PID 2248 wrote to memory of 2516	2248	syscheck.exe	msdt.exe
PID 2248 wrote to memory of 2516	2248	syscheck.exe	msdt.exe
PID 2516 wrote to memory of 1592	2516	msdt.exe	cmd.exe
PID 2516 wrote to memory of 1592	2516	msdt.exe	cmd.exe
PID 2516 wrote to memory of 1592	2516	msdt.exe	cmd.exe
PID 2516 wrote to memory of 1592	2516	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\e08cc96789886667def8d2d72520d25f.exe
"C:\Users\Admin\AppData\Local\Temp\e08cc96789886667def8d2d72520d25f.exe"
2⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2600

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\e08cc96789886667def8d2d72520d25f.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:2440

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:336

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\syscheck.exe"
7⤵
PID:1592

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\syscheck.exe
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\syscheck.exe
Filesize
384KB

MD5
4a5c4eb8423c7e2e5cafa499655ab2a6

SHA1
2eec9436f3187dd80cbea76ff5f086d1ccca9d34

SHA256
16629b66e6be6b58109152f39f72a9c2d1e430ee6b53a640db127f2d166edff8

SHA512
0db2360cbd70e0ffca69a8ffe1070c1d07a4c84dc692e3fe1fde622f70cb313cae4e169698e0fa18fa2f326eaf32c901a317642e2aebedfe5af07ece8067569e

Download Submit
\Users\Admin\AppData\Local\syscheck.exe
Filesize
477KB

MD5
e08cc96789886667def8d2d72520d25f

SHA1
cb7764cbd49da01a6b66553644fb3e84c70669d7

SHA256
9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6

SHA512
7a49c1527307a81a9f6e04b02911bcae1da00d29e5110c76585132db5a657ba35ffa1fa32e6a100a6b7c5ad880b5a9453eb96f3bad527bc076571eb0b918f88f

Download Submit
memory/336-25-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/336-18-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/336-13-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/336-12-0x0000000000950000-0x00000000009CE000-memory.dmp

Filesize
504KB

Download
memory/336-14-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/336-15-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/336-16-0x0000000002030000-0x0000000002070000-memory.dmp

Filesize
256KB

Download
memory/1260-31-0x0000000006AD0000-0x0000000006BCB000-memory.dmp

Filesize
1004KB

Download
memory/1260-30-0x0000000003870000-0x0000000003970000-memory.dmp

Filesize
1024KB

Download
memory/1260-35-0x0000000006AD0000-0x0000000006BCB000-memory.dmp

Filesize
1004KB

Download
memory/1260-36-0x0000000007290000-0x0000000007396000-memory.dmp

Filesize
1.0MB

Download
memory/1260-42-0x0000000007290000-0x0000000007396000-memory.dmp

Filesize
1.0MB

Download
memory/2248-34-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/2248-33-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2248-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2248-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2248-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2248-19-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2248-26-0x00000000009D0000-0x0000000000CD3000-memory.dmp

Filesize
3.0MB

Download
memory/2248-28-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2248-29-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/2516-40-0x0000000002240000-0x0000000002543000-memory.dmp

Filesize
3.0MB

Download
memory/2516-37-0x0000000000460000-0x0000000000554000-memory.dmp

Filesize
976KB

Download
memory/2516-38-0x0000000000460000-0x0000000000554000-memory.dmp

Filesize
976KB

Download
memory/2516-39-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2516-41-0x0000000002010000-0x00000000020A3000-memory.dmp

Filesize
588KB

Download
memory/2516-45-0x0000000000080000-0x00000000000AA000-memory.dmp

Filesize
168KB

Download
memory/2600-6-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-11-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download
memory/2600-0-0x00000000011F0000-0x000000000126E000-memory.dmp

Filesize
504KB

Download
memory/2600-3-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/2600-2-0x0000000000370000-0x000000000038C000-memory.dmp

Filesize
112KB

Download
memory/2600-7-0x0000000000BE0000-0x0000000000C20000-memory.dmp

Filesize
256KB

Download
memory/2600-1-0x00000000744F0000-0x0000000074BDE000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads