formbook | 239a8da808d8c8af3c89dda0bfeec6ab1f28a65fefca254e42ac993ee887abd0

General

Target

e1e7b17c9e0a298346b82f04fabd4f60.exe
Size

604KB
MD5

e1e7b17c9e0a298346b82f04fabd4f60
SHA1

735264e7cd43dca269582680ce3609eb5cac0418
SHA256

239a8da808d8c8af3c89dda0bfeec6ab1f28a65fefca254e42ac993ee887abd0
SHA512

929478f7a8a88cbbd7a31891cf886a24608bbbfcf5128d5e4683e50aa7cb916b1216194e2186eb2ea51c7511caecb4fac03fda3ae037dc22ceaf7522f6577f32
SSDEEP

12288:KGFOsBgo0q4wMHDyKmBiFmK19sMS+2fI59BDNUHG4lBzGLTq9jbWBCVv:K4OsBgo0q4wMHDyKmBioI9sI2fI5PBU/

Score

10^/10

formbook vd9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vd9n

Decoy

theunwrappedcollective.com

seckj-ic.com

tyresandover.com

thetrophyworld.com

fonggrconstruction.com

hopiproject.com

sktitle.com

charlotteobscurer.com

qjuhe.com

girlzglitter.com

createmylawn.com

hempcbgpill.com

zzdfdzkj.com

shreehariessential.com

226sm.com

getcupscall.com

neuralviolin.com

sanskaar.life

xn--fhqrm54yyukopc.com

togetherx4fantasy5star.today

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral2/memory/3644-7-0x0000000004D60000-0x0000000004D72000-memory.dmp	CustAttr

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3680-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3680-22-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2020-28-0x0000000000B00000-0x0000000000B2E000-memory.dmp	formbook
behavioral2/memory/2020-34-0x0000000000B00000-0x0000000000B2E000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	e1e7b17c9e0a298346b82f04fabd4f60.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewlanext.exe

description	pid	process	target process
PID 3644 set thread context of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3680 set thread context of 3448	3680	RegSvcs.exe	Explorer.EXE
PID 2020 set thread context of 3448	2020	wlanext.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3984 schtasks.exe

pid	process
3984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewlanext.exe

pid	process
3644	e1e7b17c9e0a298346b82f04fabd4f60.exe
3644	e1e7b17c9e0a298346b82f04fabd4f60.exe
3680	RegSvcs.exe
3680	RegSvcs.exe
3680	RegSvcs.exe
3680	RegSvcs.exe
3680	RegSvcs.exe
3680	RegSvcs.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe
2020	wlanext.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.exewlanext.exe

pid process

3680 RegSvcs.exe
3680 RegSvcs.exe
3680 RegSvcs.exe
2020 wlanext.exe
2020 wlanext.exe

pid	process
3680	RegSvcs.exe
3680	RegSvcs.exe
3680	RegSvcs.exe
2020	wlanext.exe
2020	wlanext.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeRegSvcs.exewlanext.exe

description	pid	process
Token: SeDebugPrivilege	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe
Token: SeDebugPrivilege	3680	RegSvcs.exe
Token: SeDebugPrivilege	2020	wlanext.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3448 Explorer.EXE

pid	process
3448	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

e1e7b17c9e0a298346b82f04fabd4f60.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 3644 wrote to memory of 3984	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 3644 wrote to memory of 3984	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 3644 wrote to memory of 3984	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	schtasks.exe
PID 3644 wrote to memory of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3644 wrote to memory of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3644 wrote to memory of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3644 wrote to memory of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3644 wrote to memory of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3644 wrote to memory of 3680	3644	e1e7b17c9e0a298346b82f04fabd4f60.exe	RegSvcs.exe
PID 3448 wrote to memory of 2020	3448	Explorer.EXE	wlanext.exe
PID 3448 wrote to memory of 2020	3448	Explorer.EXE	wlanext.exe
PID 3448 wrote to memory of 2020	3448	Explorer.EXE	wlanext.exe
PID 2020 wrote to memory of 3996	2020	wlanext.exe	cmd.exe
PID 2020 wrote to memory of 3996	2020	wlanext.exe	cmd.exe
PID 2020 wrote to memory of 3996	2020	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3448

C:\Users\Admin\AppData\Local\Temp\e1e7b17c9e0a298346b82f04fabd4f60.exe
"C:\Users\Admin\AppData\Local\Temp\e1e7b17c9e0a298346b82f04fabd4f60.exe"
2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\Vuaokht" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4234.tmp"
3⤵
- Creates scheduled task(s)
PID:3984

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3680

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3780 --field-trial-handle=2276,i,5672504106535478802,17394903851940863593,262144 --variations-seed-version /prefetch:8
1⤵
PID:3896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4234.tmp
Filesize
1KB

MD5
edaa37695ff86fd1962a631a82603e2d

SHA1
f3cf7bb576f4d6a07daeeb1b4ed63acca1232f37

SHA256
1f6f75c172258aaade30c6c744ee2588d096631403c7cf929d49acd2bfadff6a

SHA512
257a47c9ea2056bec82c060477c53e39c426be2bef5904309c9c32e03773638e9bd76743607fe3e882ea94738d988efc920d5fe9408793d29ece07ff4cd720da

Download Submit
memory/2020-34-0x0000000000B00000-0x0000000000B2E000-memory.dmp

Filesize
184KB

Download
memory/2020-30-0x0000000001120000-0x00000000011B3000-memory.dmp

Filesize
588KB

Download
memory/2020-29-0x00000000012E0000-0x000000000162A000-memory.dmp

Filesize
3.3MB

Download
memory/2020-28-0x0000000000B00000-0x0000000000B2E000-memory.dmp

Filesize
184KB

Download
memory/2020-27-0x0000000000D10000-0x0000000000D27000-memory.dmp

Filesize
92KB

Download
memory/2020-25-0x0000000000D10000-0x0000000000D27000-memory.dmp

Filesize
92KB

Download
memory/3448-40-0x0000000009130000-0x00000000092A4000-memory.dmp

Filesize
1.5MB

Download
memory/3448-37-0x0000000009130000-0x00000000092A4000-memory.dmp

Filesize
1.5MB

Download
memory/3448-36-0x0000000009130000-0x00000000092A4000-memory.dmp

Filesize
1.5MB

Download
memory/3448-32-0x0000000007B40000-0x0000000007C68000-memory.dmp

Filesize
1.2MB

Download
memory/3448-24-0x0000000007B40000-0x0000000007C68000-memory.dmp

Filesize
1.2MB

Download
memory/3644-7-0x0000000004D60000-0x0000000004D72000-memory.dmp

Filesize
72KB

Download
memory/3644-4-0x00000000054D0000-0x000000000556C000-memory.dmp

Filesize
624KB

Download
memory/3644-19-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3644-1-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3644-2-0x0000000005860000-0x0000000005E04000-memory.dmp

Filesize
5.6MB

Download
memory/3644-3-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/3644-11-0x0000000006DD0000-0x0000000006E08000-memory.dmp

Filesize
224KB

Download
memory/3644-10-0x0000000006D10000-0x0000000006D90000-memory.dmp

Filesize
512KB

Download
memory/3644-9-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3644-8-0x0000000075180000-0x0000000075930000-memory.dmp

Filesize
7.7MB

Download
memory/3644-0-0x0000000000910000-0x00000000009AE000-memory.dmp

Filesize
632KB

Download
memory/3644-6-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/3644-5-0x0000000005620000-0x0000000005630000-memory.dmp

Filesize
64KB

Download
memory/3680-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-23-0x00000000016B0000-0x00000000016C4000-memory.dmp

Filesize
80KB

Download
memory/3680-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3680-20-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads