formbook | 9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6

General

Target

e08cc96789886667def8d2d72520d25f.exe
Size

477KB
MD5

e08cc96789886667def8d2d72520d25f
SHA1

cb7764cbd49da01a6b66553644fb3e84c70669d7
SHA256

9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6
SHA512

7a49c1527307a81a9f6e04b02911bcae1da00d29e5110c76585132db5a657ba35ffa1fa32e6a100a6b7c5ad880b5a9453eb96f3bad527bc076571eb0b918f88f
SSDEEP

6144:SJzKf/zmCja4qQmQCrcbnFuuUcTFx0T21BOcCSaa1MSSB6T1KpQcHCbhp:SJY1ja4qQ+rcbFudkuN/S/1MSSPQcHKP

Score

10^/10

formbook fr persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

fr

Decoy

geturstuff.life

kisakollections.com

bkipmtahuna.com

aoxou.com

thebigandfreeupdates.download

utvtribe.com

icontoken.com

naturexperience.com

h2sentertainmentcafe.com

careerproresumepa.com

franchiseindia.directory

psychouniversity.com

traveng.com

mylifestylebyclem.com

greentmraelty.com

imoneg.com

lupusrebelacademy.com

ghqxc.info

lylulidbd.com

dalfreestyle.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2028-20-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/2028-26-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/4184-32-0x0000000000480000-0x00000000004AA000-memory.dmp	formbook
behavioral2/memory/4184-38-0x0000000000480000-0x00000000004AA000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e08cc96789886667def8d2d72520d25f.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\Control Panel\International\Geo\Nation	e08cc96789886667def8d2d72520d25f.exe

Executes dropped EXE 2 IoCs

Processes:

syscheck.exesyscheck.exe

pid process

524 syscheck.exe
2028 syscheck.exe

pid	process
524	syscheck.exe
2028	syscheck.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

syscheck.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysmgr = "C:\\Users\\Admin\\AppData\\Local\\syscheck.exe -boot"	syscheck.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

syscheck.exesyscheck.exewlanext.exe

description	pid	process	target process
PID 524 set thread context of 2028	524	syscheck.exe	syscheck.exe
PID 2028 set thread context of 3320	2028	syscheck.exe	Explorer.EXE
PID 4184 set thread context of 3320	4184	wlanext.exe	Explorer.EXE

Drops file in Program Files directory 1 IoCs

Processes:

wlanext.exe

description ioc process

File opened for modification C:\Program Files (x86)\Bmlg46tv0\user-zt.exe wlanext.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Program Files (x86)\Bmlg46tv0\user-zt.exe	wlanext.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

syscheck.exewlanext.exe

pid	process
2028	syscheck.exe
2028	syscheck.exe
2028	syscheck.exe
2028	syscheck.exe
2028	syscheck.exe
2028	syscheck.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe
4184	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

syscheck.exewlanext.exe

pid process

2028 syscheck.exe
2028 syscheck.exe
2028 syscheck.exe
4184 wlanext.exe
4184 wlanext.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

e08cc96789886667def8d2d72520d25f.exesyscheck.exesyscheck.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2180	e08cc96789886667def8d2d72520d25f.exe
Token: SeDebugPrivilege	524	syscheck.exe
Token: SeDebugPrivilege	2028	syscheck.exe
Token: SeDebugPrivilege	4184	wlanext.exe
Token: SeShutdownPrivilege	3320	Explorer.EXE
Token: SeCreatePagefilePrivilege	3320	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

e08cc96789886667def8d2d72520d25f.execmd.exesyscheck.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2180 wrote to memory of 2464	2180	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2180 wrote to memory of 2464	2180	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2180 wrote to memory of 2464	2180	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2180 wrote to memory of 4456	2180	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2180 wrote to memory of 4456	2180	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 2180 wrote to memory of 4456	2180	e08cc96789886667def8d2d72520d25f.exe	cmd.exe
PID 4456 wrote to memory of 524	4456	cmd.exe	syscheck.exe
PID 4456 wrote to memory of 524	4456	cmd.exe	syscheck.exe
PID 4456 wrote to memory of 524	4456	cmd.exe	syscheck.exe
PID 524 wrote to memory of 2028	524	syscheck.exe	syscheck.exe
PID 524 wrote to memory of 2028	524	syscheck.exe	syscheck.exe
PID 524 wrote to memory of 2028	524	syscheck.exe	syscheck.exe
PID 524 wrote to memory of 2028	524	syscheck.exe	syscheck.exe
PID 524 wrote to memory of 2028	524	syscheck.exe	syscheck.exe
PID 524 wrote to memory of 2028	524	syscheck.exe	syscheck.exe
PID 3320 wrote to memory of 4184	3320	Explorer.EXE	wlanext.exe
PID 3320 wrote to memory of 4184	3320	Explorer.EXE	wlanext.exe
PID 3320 wrote to memory of 4184	3320	Explorer.EXE	wlanext.exe
PID 4184 wrote to memory of 2876	4184	wlanext.exe	cmd.exe
PID 4184 wrote to memory of 2876	4184	wlanext.exe	cmd.exe
PID 4184 wrote to memory of 2876	4184	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320

C:\Users\Admin\AppData\Local\Temp\e08cc96789886667def8d2d72520d25f.exe
"C:\Users\Admin\AppData\Local\Temp\e08cc96789886667def8d2d72520d25f.exe"
2⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\e08cc96789886667def8d2d72520d25f.exe" "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:2464

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c, "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:4456

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:524

C:\Users\Admin\AppData\Local\syscheck.exe
"C:\Users\Admin\AppData\Local\syscheck.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4184

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\syscheck.exe"
3⤵
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\syscheck.exe
Filesize
477KB

MD5
e08cc96789886667def8d2d72520d25f

SHA1
cb7764cbd49da01a6b66553644fb3e84c70669d7

SHA256
9ededd53a7b7f060dd6c315331fe8bd20c5c69d4dfe6ca1346b55405731381b6

SHA512
7a49c1527307a81a9f6e04b02911bcae1da00d29e5110c76585132db5a657ba35ffa1fa32e6a100a6b7c5ad880b5a9453eb96f3bad527bc076571eb0b918f88f

Download Submit
memory/524-17-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/524-23-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/524-19-0x0000000005AD0000-0x0000000005B6C000-memory.dmp

Filesize
624KB

Download
memory/524-18-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/524-14-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/524-15-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/2028-27-0x0000000000B90000-0x0000000000BA4000-memory.dmp

Filesize
80KB

Download
memory/2028-26-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2028-24-0x00000000010A0000-0x00000000013EA000-memory.dmp

Filesize
3.3MB

Download
memory/2028-20-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2180-9-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2180-16-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/2180-0-0x0000000000DC0000-0x0000000000E3E000-memory.dmp

Filesize
504KB

Download
memory/2180-8-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/2180-5-0x00000000059E0000-0x00000000059F0000-memory.dmp

Filesize
64KB

Download
memory/2180-4-0x0000000005800000-0x000000000581C000-memory.dmp

Filesize
112KB

Download
memory/2180-3-0x0000000005820000-0x00000000058B2000-memory.dmp

Filesize
584KB

Download
memory/2180-2-0x0000000005EE0000-0x0000000006484000-memory.dmp

Filesize
5.6MB

Download
memory/2180-1-0x0000000074CE0000-0x0000000075490000-memory.dmp

Filesize
7.7MB

Download
memory/3320-28-0x0000000008E80000-0x0000000008FA7000-memory.dmp

Filesize
1.2MB

Download
memory/3320-36-0x0000000008E80000-0x0000000008FA7000-memory.dmp

Filesize
1.2MB

Download
memory/3320-39-0x0000000009020000-0x000000000913A000-memory.dmp

Filesize
1.1MB

Download
memory/3320-40-0x0000000009020000-0x000000000913A000-memory.dmp

Filesize
1.1MB

Download
memory/4184-29-0x0000000000900000-0x0000000000917000-memory.dmp

Filesize
92KB

Download
memory/4184-31-0x0000000000900000-0x0000000000917000-memory.dmp

Filesize
92KB

Download
memory/4184-32-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download
memory/4184-33-0x0000000000C80000-0x0000000000FCA000-memory.dmp

Filesize
3.3MB

Download
memory/4184-34-0x00000000009F0000-0x0000000000A83000-memory.dmp

Filesize
588KB

Download
memory/4184-38-0x0000000000480000-0x00000000004AA000-memory.dmp

Filesize
168KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads