formbook | 239a8da808d8c8af3c89dda0bfeec6ab1f28a65fefca254e42ac993ee887abd0

General

Target

e1e7b17c9e0a298346b82f04fabd4f60.exe
Size

604KB
MD5

e1e7b17c9e0a298346b82f04fabd4f60
SHA1

735264e7cd43dca269582680ce3609eb5cac0418
SHA256

239a8da808d8c8af3c89dda0bfeec6ab1f28a65fefca254e42ac993ee887abd0
SHA512

929478f7a8a88cbbd7a31891cf886a24608bbbfcf5128d5e4683e50aa7cb916b1216194e2186eb2ea51c7511caecb4fac03fda3ae037dc22ceaf7522f6577f32
SSDEEP

12288:KGFOsBgo0q4wMHDyKmBiFmK19sMS+2fI59BDNUHG4lBzGLTq9jbWBCVv:K4OsBgo0q4wMHDyKmBioI9sI2fI5PBU/

Score

10^/10

formbook vd9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vd9n

Decoy

theunwrappedcollective.com

seckj-ic.com

tyresandover.com

thetrophyworld.com

fonggrconstruction.com

hopiproject.com

sktitle.com

charlotteobscurer.com

qjuhe.com

girlzglitter.com

createmylawn.com

hempcbgpill.com

zzdfdzkj.com

shreehariessential.com

226sm.com

getcupscall.com

neuralviolin.com

sanskaar.life

xn--fhqrm54yyukopc.com

togetherx4fantasy5star.today

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/840-3-0x0000000000340000-0x0000000000352000-memory.dmp	CustAttr

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2404-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2404-21-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2024-27-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook
behavioral1/memory/2024-33-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewininit.exe

description	pid	process	target process
PID 840 set thread context of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 2404 set thread context of 1196	2404	RegSvcs.exe	Explorer.EXE
PID 2024 set thread context of 1196	2024	wininit.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2432 schtasks.exe

pid	process
2432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewininit.exe

pid	process
840	e1e7b17c9e0a298346b82f04fabd4f60.exe
2404	RegSvcs.exe
2404	RegSvcs.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe
2024	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewininit.exe

pid process

2404 RegSvcs.exe
2404 RegSvcs.exe
2404 RegSvcs.exe
2024 wininit.exe
2024 wininit.exe

pid	process
2404	RegSvcs.exe
2404	RegSvcs.exe
2404	RegSvcs.exe
2024	wininit.exe
2024	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	840	e1e7b17c9e0a298346b82f04fabd4f60.exe
Token: SeDebugPrivilege	2404	RegSvcs.exe
Token: SeDebugPrivilege	2024	wininit.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 840 wrote to memory of 2432	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 840 wrote to memory of 2432	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 840 wrote to memory of 2432	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 840 wrote to memory of 2432	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 840 wrote to memory of 2404	840	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 1196 wrote to memory of 2024	1196	Explorer.EXE	wininit.exe
PID 1196 wrote to memory of 2024	1196	Explorer.EXE	wininit.exe
PID 1196 wrote to memory of 2024	1196	Explorer.EXE	wininit.exe
PID 1196 wrote to memory of 2024	1196	Explorer.EXE	wininit.exe
PID 2024 wrote to memory of 2688	2024	wininit.exe	cmd.exe
PID 2024 wrote to memory of 2688	2024	wininit.exe	cmd.exe
PID 2024 wrote to memory of 2688	2024	wininit.exe	cmd.exe
PID 2024 wrote to memory of 2688	2024	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\e1e7b17c9e0a298346b82f04fabd4f60.exe
"C:\Users\Admin\AppData\Local\Temp\e1e7b17c9e0a298346b82f04fabd4f60.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:840

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vuaokht" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCF8F.tmp"
3⤵
- Creates scheduled task(s)
PID:2432

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2404

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2024

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:2688

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpCF8F.tmp
Filesize
1KB

MD5
3abcc76859bba7c8afc6cda7968d94f2

SHA1
d951dede708964d193049cde1a74d63d3997bd3c

SHA256
30d5010a2d35db5c6f8a4882855418aa196add21c99778749455aedffb68a798

SHA512
f99bf571d346ce4a9fcef7f4f1ec785360b9be9fca65078ec3da0234559ecee806eda5b978d5c59dc7d234fbd80e89f84d934eea2b10bf2a0efc6729357b362c

Download Submit
memory/840-18-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/840-1-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/840-2-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/840-3-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/840-4-0x0000000074680000-0x0000000074D6E000-memory.dmp

Filesize
6.9MB

Download
memory/840-5-0x0000000004FA0000-0x0000000004FE0000-memory.dmp

Filesize
256KB

Download
memory/840-6-0x00000000052B0000-0x0000000005330000-memory.dmp

Filesize
512KB

Download
memory/840-7-0x00000000007E0000-0x0000000000818000-memory.dmp

Filesize
224KB

Download
memory/840-0-0x0000000001210000-0x00000000012AE000-memory.dmp

Filesize
632KB

Download
memory/1196-24-0x0000000007300000-0x000000000746A000-memory.dmp

Filesize
1.4MB

Download
memory/1196-31-0x0000000007300000-0x000000000746A000-memory.dmp

Filesize
1.4MB

Download
memory/1196-22-0x0000000002F30000-0x0000000003030000-memory.dmp

Filesize
1024KB

Download
memory/2024-25-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/2024-33-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/2024-29-0x0000000002120000-0x00000000021B3000-memory.dmp

Filesize
588KB

Download
memory/2024-28-0x00000000022B0000-0x00000000025B3000-memory.dmp

Filesize
3.0MB

Download
memory/2024-27-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/2024-26-0x0000000000490000-0x00000000004AA000-memory.dmp

Filesize
104KB

Download
memory/2404-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2404-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2404-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2404-23-0x0000000000390000-0x00000000003A4000-memory.dmp

Filesize
80KB

Download
memory/2404-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2404-19-0x0000000000920000-0x0000000000C23000-memory.dmp

Filesize
3.0MB

Download
memory/2404-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads