formbook | ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924

General

Target

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe
Size

619KB
MD5

996f511df3eb434b0c8c8bb2f5ffac86
SHA1

61c47ca95118845ed58d0a95861534b2c697e073
SHA256

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924
SHA512

443152150b99c31c82ef2d74e6a9bbba4b970c4863ed4527b6df299f622705c72a72d0e34f1698227cd463ed77d66322d284f8e650451dc020d2d62b69e04d13
SSDEEP

12288:WG2iNlw0Tpi/K61Zp5TIoc2uEj+5Qf+rdu7BrYb0kg4taHk9KnQbJUNkR:h1XLodbpOoci2Q+rdUrYQjHkcQbZ

Score

10^/10

formbook dd20 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dd20

Decoy

unblurd.com

docu-zign.com

randijpaulsen.com

angsabet.com

sedatelynx.com

opiumcore.store

thelordismysaviormerch.com

mindstudio.support

waterbygraceteam.com

furnitureinspiredbythesea.com

amablanca.com

hespelerdental.com

arcalid.net

balajinursingbureau.online

caixias.shop

solingen-buergerstiftung.com

194916.top

6travel-insurance.xyz

xn--fiqp9b17y.xn--czr694b

syntixi.trade

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Detects executables packed with SmartAssembly 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2924-4-0x0000000000560000-0x000000000056C000-memory.dmp	INDICATOR_EXE_Packed_SmartAssembly

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2628-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2628-23-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2628-31-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2980-37-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2980-39-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exeRegSvcs.exeipconfig.exe

description	pid	process	target process
PID 2924 set thread context of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2628 set thread context of 1204	2628	RegSvcs.exe	Explorer.EXE
PID 2628 set thread context of 1204	2628	RegSvcs.exe	Explorer.EXE
PID 2980 set thread context of 1204	2980	ipconfig.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2572 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

2980 ipconfig.exe

pid	process
2572	schtasks.exe

pid	process
2980	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

Processes:

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exeRegSvcs.exepowershell.exeipconfig.exe

pid	process
2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe
2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe
2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe
2628	RegSvcs.exe
2628	RegSvcs.exe
2520	powershell.exe
2628	RegSvcs.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe
2980	ipconfig.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exeipconfig.exe

pid process

2628 RegSvcs.exe
2628 RegSvcs.exe
2628 RegSvcs.exe
2628 RegSvcs.exe
2980 ipconfig.exe
2980 ipconfig.exe

pid	process
2628	RegSvcs.exe
2628	RegSvcs.exe
2628	RegSvcs.exe
2628	RegSvcs.exe
2980	ipconfig.exe
2980	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exeRegSvcs.exepowershell.exeipconfig.exe

description	pid	process
Token: SeDebugPrivilege	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe
Token: SeDebugPrivilege	2628	RegSvcs.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	2980	ipconfig.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 2924 wrote to memory of 2520	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	powershell.exe
PID 2924 wrote to memory of 2520	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	powershell.exe
PID 2924 wrote to memory of 2520	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	powershell.exe
PID 2924 wrote to memory of 2520	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	powershell.exe
PID 2924 wrote to memory of 2572	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	schtasks.exe
PID 2924 wrote to memory of 2572	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	schtasks.exe
PID 2924 wrote to memory of 2572	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	schtasks.exe
PID 2924 wrote to memory of 2572	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	schtasks.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 2924 wrote to memory of 2628	2924	ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe	RegSvcs.exe
PID 1204 wrote to memory of 2980	1204	Explorer.EXE	ipconfig.exe
PID 1204 wrote to memory of 2980	1204	Explorer.EXE	ipconfig.exe
PID 1204 wrote to memory of 2980	1204	Explorer.EXE	ipconfig.exe
PID 1204 wrote to memory of 2980	1204	Explorer.EXE	ipconfig.exe
PID 2980 wrote to memory of 1660	2980	ipconfig.exe	cmd.exe
PID 2980 wrote to memory of 1660	2980	ipconfig.exe	cmd.exe
PID 2980 wrote to memory of 1660	2980	ipconfig.exe	cmd.exe
PID 2980 wrote to memory of 1660	2980	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204

C:\Users\Admin\AppData\Local\Temp\ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe
"C:\Users\Admin\AppData\Local\Temp\ed70aaa765d3f4e890b381829f6ab14eef928f6fc9bc6207f83dec6695525924.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2924

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\hIHKJIXn.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hIHKJIXn" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46EF.tmp"
3⤵
- Creates scheduled task(s)
PID:2572

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1660

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp46EF.tmp
Filesize
1KB

MD5
494873bdae664f51324858f787684077

SHA1
484fd9d1ecbe8fadcc1ed546570f71a713b0f63b

SHA256
1888bf7d5116c0e1f7578f2a525ed1303932d17ebeaf076b1cd7395cc169b96d

SHA512
295ab4d9c0fb76bfdc145754c7e143385e7a2e84d7a0687fd49c95bebdbc2d4f16ef853776560914cd2f246f748a1b1fcf3e002a6d477fff2a1fbbcc1f156c53

Download Submit
memory/1204-20-0x0000000003C70000-0x0000000003D70000-memory.dmp

Filesize
1024KB

Download
memory/1204-48-0x0000000006740000-0x0000000006895000-memory.dmp

Filesize
1.3MB

Download
memory/1204-45-0x0000000006740000-0x0000000006895000-memory.dmp

Filesize
1.3MB

Download
memory/1204-44-0x0000000006740000-0x0000000006895000-memory.dmp

Filesize
1.3MB

Download
memory/1204-42-0x0000000007750000-0x00000000078E0000-memory.dmp

Filesize
1.6MB

Download
memory/1204-34-0x0000000007750000-0x00000000078E0000-memory.dmp

Filesize
1.6MB

Download
memory/1204-28-0x0000000004FA0000-0x0000000005129000-memory.dmp

Filesize
1.5MB

Download
memory/2520-25-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2520-22-0x000000006E8E0000-0x000000006EE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-29-0x000000006E8E0000-0x000000006EE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2520-27-0x0000000002A60000-0x0000000002AA0000-memory.dmp

Filesize
256KB

Download
memory/2520-21-0x000000006E8E0000-0x000000006EE8B000-memory.dmp

Filesize
5.7MB

Download
memory/2628-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-31-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2628-24-0x0000000000240000-0x0000000000255000-memory.dmp

Filesize
84KB

Download
memory/2628-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-26-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/2628-33-0x0000000000300000-0x0000000000315000-memory.dmp

Filesize
84KB

Download
memory/2628-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2628-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2924-5-0x00000000052E0000-0x0000000005356000-memory.dmp

Filesize
472KB

Download
memory/2924-18-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2924-0-0x0000000001020000-0x00000000010BC000-memory.dmp

Filesize
624KB

Download
memory/2924-4-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2924-3-0x0000000000420000-0x0000000000432000-memory.dmp

Filesize
72KB

Download
memory/2924-2-0x0000000000F30000-0x0000000000F70000-memory.dmp

Filesize
256KB

Download
memory/2924-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2980-35-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2980-36-0x0000000000E20000-0x0000000000E2A000-memory.dmp

Filesize
40KB

Download
memory/2980-37-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2980-38-0x0000000002230000-0x0000000002533000-memory.dmp

Filesize
3.0MB

Download
memory/2980-39-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2980-41-0x0000000000AB0000-0x0000000000B44000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads