formbook | 1cd7b732c7638b4d1816385e810e158dcc53650406b315c2035d8e416e4cf3a8

General

Target

3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
Size

652KB
MD5

26a38af05a6bdd23f047eb65fee67251
SHA1

61633e621f7d7cdcca5936b27a18cfe7e5169aae
SHA256

3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a
SHA512

7d852f05e4377b77691c3c7517609b6bd12c96d0c5dfe0bb330974ff891731529c12da9a7d52ea0f4e526fd35ce35237bfe40d2099afc12f59e58f95157e16b9
SSDEEP

12288:JCTYHa5WHBh2Izs6vHhIlvyuq7it546mz2p9:QTYNHU6vHKlvU7ij46mKp

Score

10^/10

formbook hy07 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hy07

Decoy

katemclaughl.in

worthyofficial.com

digitopia.click

ledmee.com

siwaasnz.life

ba-y.com

specifiedbuild.com

abandoned-houses-pt-0.bond

yesxoit.xyz

onlinemehrgeld.com

gosysamergoods.com

speakdontell.com

brokenequipmentsolutions.online

gruppofebi.cloud

adilosk.shop

supplierpartnerportal.com

wizov.dev

fast-homeinsurance.com

j88.vote

onamaevn.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3352-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000\Control Panel\International\Geo\Nation	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

description	pid	process	target process
PID 3168 set thread context of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

1016 schtasks.exe

pid	process
1016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exepowershell.exe3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

pid	process
3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
3380	powershell.exe
3352	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
3352	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
3380	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

description	pid	process
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
"C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\wIJCOfiF.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3380

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\wIJCOfiF" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF5F9.tmp"
2⤵
- Creates scheduled task(s)
PID:1016

C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
"C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
2⤵
PID:3840

C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
"C:\Users\Admin\AppData\Local\Temp\3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_konedbon.cd4.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF5F9.tmp
Filesize
1KB

MD5
3443de31389eb53f707cc8d4786f70f2

SHA1
6ac811634348044306d9f0337eb0ac2f9cdff917

SHA256
9866fe3ba2d756a312667c2296127684c81d3b92d5a6beb0ad17f210919661b9

SHA512
f96d648706616cd0c2d3ae95390dec8addd09ee2359cef762a801851517f5a82646508fc9b1fc12e156f78766ec6d02dbca439b8458c3af1c15999dc2a09d293

Download Submit
memory/3168-6-0x0000000005980000-0x0000000005992000-memory.dmp

Filesize
72KB

Download
memory/3168-3-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/3168-4-0x00000000059A0000-0x00000000059B0000-memory.dmp

Filesize
64KB

Download
memory/3168-5-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/3168-2-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/3168-7-0x0000000005B20000-0x0000000005B2C000-memory.dmp

Filesize
48KB

Download
memory/3168-8-0x0000000007380000-0x00000000073F6000-memory.dmp

Filesize
472KB

Download
memory/3168-9-0x0000000009A00000-0x0000000009A9C000-memory.dmp

Filesize
624KB

Download
memory/3168-1-0x0000000000C70000-0x0000000000D18000-memory.dmp

Filesize
672KB

Download
memory/3168-0-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/3168-24-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/3352-36-0x00000000011D0000-0x000000000151A000-memory.dmp

Filesize
3.3MB

Download
memory/3352-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3380-21-0x0000000004AA0000-0x0000000004AC2000-memory.dmp

Filesize
136KB

Download
memory/3380-41-0x0000000006050000-0x0000000006082000-memory.dmp

Filesize
200KB

Download
memory/3380-23-0x00000000053A0000-0x0000000005406000-memory.dmp

Filesize
408KB

Download
memory/3380-18-0x0000000004C00000-0x0000000005228000-memory.dmp

Filesize
6.2MB

Download
memory/3380-25-0x0000000005410000-0x0000000005476000-memory.dmp

Filesize
408KB

Download
memory/3380-16-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3380-15-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/3380-35-0x0000000005580000-0x00000000058D4000-memory.dmp

Filesize
3.3MB

Download
memory/3380-14-0x0000000002170000-0x00000000021A6000-memory.dmp

Filesize
216KB

Download
memory/3380-37-0x0000000005A10000-0x0000000005A2E000-memory.dmp

Filesize
120KB

Download
memory/3380-38-0x0000000005AF0000-0x0000000005B3C000-memory.dmp

Filesize
304KB

Download
memory/3380-39-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3380-40-0x000000007F920000-0x000000007F930000-memory.dmp

Filesize
64KB

Download
memory/3380-17-0x0000000002120000-0x0000000002130000-memory.dmp

Filesize
64KB

Download
memory/3380-42-0x0000000070AA0000-0x0000000070AEC000-memory.dmp

Filesize
304KB

Download
memory/3380-52-0x0000000006030000-0x000000000604E000-memory.dmp

Filesize
120KB

Download
memory/3380-53-0x0000000006C70000-0x0000000006D13000-memory.dmp

Filesize
652KB

Download
memory/3380-54-0x00000000073E0000-0x0000000007A5A000-memory.dmp

Filesize
6.5MB

Download
memory/3380-55-0x0000000006DA0000-0x0000000006DBA000-memory.dmp

Filesize
104KB

Download
memory/3380-56-0x0000000006E10000-0x0000000006E1A000-memory.dmp

Filesize
40KB

Download
memory/3380-57-0x0000000007020000-0x00000000070B6000-memory.dmp

Filesize
600KB

Download
memory/3380-58-0x0000000006FA0000-0x0000000006FB1000-memory.dmp

Filesize
68KB

Download
memory/3380-59-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download
memory/3380-60-0x0000000006FF0000-0x0000000006FFE000-memory.dmp

Filesize
56KB

Download
memory/3380-61-0x0000000007000000-0x0000000007014000-memory.dmp

Filesize
80KB

Download
memory/3380-62-0x0000000007100000-0x000000000711A000-memory.dmp

Filesize
104KB

Download
memory/3380-63-0x00000000070E0000-0x00000000070E8000-memory.dmp

Filesize
32KB

Download
memory/3380-66-0x00000000745B0000-0x0000000074D60000-memory.dmp

Filesize
7.7MB

Download

description	pid	process	target process
PID 3168 wrote to memory of 3380	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	powershell.exe
PID 3168 wrote to memory of 3380	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	powershell.exe
PID 3168 wrote to memory of 3380	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	powershell.exe
PID 3168 wrote to memory of 1016	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	schtasks.exe
PID 3168 wrote to memory of 1016	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	schtasks.exe
PID 3168 wrote to memory of 1016	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	schtasks.exe
PID 3168 wrote to memory of 3840	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3840	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3840	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe
PID 3168 wrote to memory of 3352	3168	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe	3bd968f2cff76757eb1bf75e19e8302ef97417c65ce9c0accf578eafae435c6a.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads