formbook | ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924

General

Target

narudba Rs211-24400.exe
Size

619KB
MD5

996f511df3eb434b0c8c8bb2f5ffac86
SHA1

61c47ca95118845ed58d0a95861534b2c697e073
SHA256

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924
SHA512

443152150b99c31c82ef2d74e6a9bbba4b970c4863ed4527b6df299f622705c72a72d0e34f1698227cd463ed77d66322d284f8e650451dc020d2d62b69e04d13
SSDEEP

12288:WG2iNlw0Tpi/K61Zp5TIoc2uEj+5Qf+rdu7BrYb0kg4taHk9KnQbJUNkR:h1XLodbpOoci2Q+rdUrYQjHkcQbZ

Score

10^/10

formbook dd20 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd20

Decoy

unblurd.com

docu-zign.com

randijpaulsen.com

angsabet.com

sedatelynx.com

opiumcore.store

thelordismysaviormerch.com

mindstudio.support

waterbygraceteam.com

furnitureinspiredbythesea.com

amablanca.com

hespelerdental.com

arcalid.net

balajinursingbureau.online

caixias.shop

solingen-buergerstiftung.com

194916.top

6travel-insurance.xyz

xn--fiqp9b17y.xn--czr694b

syntixi.trade

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2608-23-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2608-28-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2476-35-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/2476-37-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

narudba Rs211-24400.exeRegSvcs.exemsdt.exe

description	pid	process	target process
PID 824 set thread context of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 2608 set thread context of 1380	2608	RegSvcs.exe	Explorer.EXE
PID 2476 set thread context of 1380	2476	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2784 schtasks.exe

pid	process
2784	schtasks.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

narudba Rs211-24400.exepowershell.exeRegSvcs.exemsdt.exe

pid	process
824	narudba Rs211-24400.exe
824	narudba Rs211-24400.exe
3040	powershell.exe
824	narudba Rs211-24400.exe
2608	RegSvcs.exe
2608	RegSvcs.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe
2476	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exemsdt.exe

pid process

2608 RegSvcs.exe
2608 RegSvcs.exe
2608 RegSvcs.exe
2476 msdt.exe
2476 msdt.exe

pid	process
2608	RegSvcs.exe
2608	RegSvcs.exe
2608	RegSvcs.exe
2476	msdt.exe
2476	msdt.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

narudba Rs211-24400.exepowershell.exeRegSvcs.exemsdt.exe

description	pid	process
Token: SeDebugPrivilege	824	narudba Rs211-24400.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2608	RegSvcs.exe
Token: SeDebugPrivilege	2476	msdt.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1380 Explorer.EXE
1380 Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

pid	process
1380	Explorer.EXE
1380	Explorer.EXE

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

narudba Rs211-24400.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 824 wrote to memory of 3040	824	narudba Rs211-24400.exe	powershell.exe
PID 824 wrote to memory of 3040	824	narudba Rs211-24400.exe	powershell.exe
PID 824 wrote to memory of 3040	824	narudba Rs211-24400.exe	powershell.exe
PID 824 wrote to memory of 3040	824	narudba Rs211-24400.exe	powershell.exe
PID 824 wrote to memory of 2784	824	narudba Rs211-24400.exe	schtasks.exe
PID 824 wrote to memory of 2784	824	narudba Rs211-24400.exe	schtasks.exe
PID 824 wrote to memory of 2784	824	narudba Rs211-24400.exe	schtasks.exe
PID 824 wrote to memory of 2784	824	narudba Rs211-24400.exe	schtasks.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 824 wrote to memory of 2608	824	narudba Rs211-24400.exe	RegSvcs.exe
PID 1380 wrote to memory of 2476	1380	Explorer.EXE	msdt.exe
PID 1380 wrote to memory of 2476	1380	Explorer.EXE	msdt.exe
PID 1380 wrote to memory of 2476	1380	Explorer.EXE	msdt.exe
PID 1380 wrote to memory of 2476	1380	Explorer.EXE	msdt.exe
PID 2476 wrote to memory of 2712	2476	msdt.exe	cmd.exe
PID 2476 wrote to memory of 2712	2476	msdt.exe	cmd.exe
PID 2476 wrote to memory of 2712	2476	msdt.exe	cmd.exe
PID 2476 wrote to memory of 2712	2476	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\narudba Rs211-24400.exe
"C:\Users\Admin\AppData\Local\Temp\narudba Rs211-24400.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hIHKJIXn.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hIHKJIXn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4164.tmp"
3⤵
- Creates scheduled task(s)
PID:2784

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2712

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4164.tmp
Filesize
1KB

MD5
5d15700156fc37e920f010930c3144e4

SHA1
da6b216e00d8a357f51452054a0b1dff664107f5

SHA256
e0d1117acf37780f4de9444b2951647ba66d58763f72b8fd9ab059985d486251

SHA512
404d278abffcce088683a1323e7e3e9c8869e32411e0e79a329f0caeb60e56b6a9165675b15029af9ee0c7f1f1685979d7d9d9fe7c47799b57dd6f7a86c463b5

Download Submit
memory/824-3-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/824-0-0x0000000000970000-0x0000000000A0C000-memory.dmp

Filesize
624KB

Download
memory/824-24-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/824-4-0x0000000000870000-0x000000000087C000-memory.dmp

Filesize
48KB

Download
memory/824-5-0x0000000005240000-0x00000000052B6000-memory.dmp

Filesize
472KB

Download
memory/824-1-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/824-25-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/824-2-0x0000000000690000-0x00000000006D0000-memory.dmp

Filesize
256KB

Download
memory/1380-43-0x00000000095D0000-0x00000000096E4000-memory.dmp

Filesize
1.1MB

Download
memory/1380-40-0x0000000006EF0000-0x000000000700A000-memory.dmp

Filesize
1.1MB

Download
memory/1380-44-0x00000000095D0000-0x00000000096E4000-memory.dmp

Filesize
1.1MB

Download
memory/1380-31-0x0000000006EF0000-0x000000000700A000-memory.dmp

Filesize
1.1MB

Download
memory/1380-29-0x0000000002F40000-0x0000000003040000-memory.dmp

Filesize
1024KB

Download
memory/1380-47-0x00000000095D0000-0x00000000096E4000-memory.dmp

Filesize
1.1MB

Download
memory/2476-34-0x0000000000340000-0x0000000000434000-memory.dmp

Filesize
976KB

Download
memory/2476-33-0x0000000000340000-0x0000000000434000-memory.dmp

Filesize
976KB

Download
memory/2476-39-0x0000000002100000-0x0000000002194000-memory.dmp

Filesize
592KB

Download
memory/2476-37-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2476-36-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/2476-35-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2608-30-0x00000000001A0000-0x00000000001B5000-memory.dmp

Filesize
84KB

Download
memory/2608-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-21-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2608-26-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/2608-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-32-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-20-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-17-0x0000000002CB0000-0x0000000002CF0000-memory.dmp

Filesize
256KB

Download
memory/3040-16-0x0000000002CB0000-0x0000000002CF0000-memory.dmp

Filesize
256KB

Download
memory/3040-14-0x000000006F220000-0x000000006F7CB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads