formbook | 8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e

General

Target

SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Size

629KB
MD5

eebb33a5375ffd40682c86deea752033
SHA1

8ed7b849ba2829a164ee569995f2d4d8a8d90924
SHA256

8859d68e69b5464a0100ca99aed26dec828ae92287ce09ce984db073c66e8e4e
SHA512

77b5fb3046040512a93e4e7069a5e4ded1362c2913b928232d00be416f93619c21e5a3aef20516336eb81e7c4067f88ae67caeada31ddda7480b0a5e3fcf5fe5
SSDEEP

12288:DK0YOwqVT+BnEymdHekIrOuPhKPrbgAoOxCzSb0c6gb/wM4IKkR:DqO7VDVdDIrOusrbZoGWy0c9wM4IJ

Score

10^/10

formbook dz25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dz25

Decoy

sdw123.com

theflower-jeju.com

bigbargins.shop

xn--grsdetetizao-dcb9c.site

visionprobiz.com

ebruunalsigorta.xyz

51tree.net

tommeynadier.com

spx21.com

researchupdatehub.com

rserveohio.com

schemaconsultant.com

ec-peleti.com

songkokgelhq.shop

sixfigureswithkarah.net

quickfinancebrokerage.com

alliance-couverture.com

heartlandinnovates.com

art-friday.online

curi-o-rama.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4328-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	SecuriteInfo.com.Win32.PWSX-gen.21551.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exe

description	pid	process	target process
PID 5028 set thread context of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exeSecuriteInfo.com.Win32.PWSX-gen.21551.exepowershell.exe

pid	process
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
4328	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
4328	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
2296	powershell.exe
2296	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exepowershell.exe

description pid process

Token: SeDebugPrivilege 5028 SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Token: SeDebugPrivilege 2296 powershell.exe

description	pid	process
Token: SeDebugPrivilege	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
Token: SeDebugPrivilege	2296	powershell.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21551.exe

description	pid	process	target process
PID 5028 wrote to memory of 2296	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 5028 wrote to memory of 2296	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 5028 wrote to memory of 2296	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	powershell.exe
PID 5028 wrote to memory of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 5028 wrote to memory of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 5028 wrote to memory of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 5028 wrote to memory of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 5028 wrote to memory of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe
PID 5028 wrote to memory of 4328	5028	SecuriteInfo.com.Win32.PWSX-gen.21551.exe	SecuriteInfo.com.Win32.PWSX-gen.21551.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2296

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21551.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pu5kgch1.dul.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2296-47-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2296-21-0x0000000004FD0000-0x0000000005036000-memory.dmp

Filesize
408KB

Download
memory/2296-61-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2296-22-0x0000000005170000-0x00000000051D6000-memory.dmp

Filesize
408KB

Download
memory/2296-58-0x0000000007530000-0x0000000007538000-memory.dmp

Filesize
32KB

Download
memory/2296-32-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/2296-57-0x0000000007550000-0x000000000756A000-memory.dmp

Filesize
104KB

Download
memory/2296-56-0x0000000007450000-0x0000000007464000-memory.dmp

Filesize
80KB

Download
memory/2296-55-0x0000000007440000-0x000000000744E000-memory.dmp

Filesize
56KB

Download
memory/2296-46-0x00000000064B0000-0x00000000064CE000-memory.dmp

Filesize
120KB

Download
memory/2296-54-0x0000000007410000-0x0000000007421000-memory.dmp

Filesize
68KB

Download
memory/2296-53-0x0000000007490000-0x0000000007526000-memory.dmp

Filesize
600KB

Download
memory/2296-52-0x0000000007280000-0x000000000728A000-memory.dmp

Filesize
40KB

Download
memory/2296-36-0x0000000070890000-0x00000000708DC000-memory.dmp

Filesize
304KB

Download
memory/2296-16-0x0000000074A70000-0x0000000075220000-memory.dmp

Filesize
7.7MB

Download
memory/2296-17-0x00000000025B0000-0x00000000025E6000-memory.dmp

Filesize
216KB

Download
memory/2296-18-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2296-19-0x00000000051E0000-0x0000000005808000-memory.dmp

Filesize
6.2MB

Download
memory/2296-20-0x0000000004F30000-0x0000000004F52000-memory.dmp

Filesize
136KB

Download
memory/2296-48-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/2296-51-0x0000000007210000-0x000000000722A000-memory.dmp

Filesize
104KB

Download
memory/2296-50-0x0000000007850000-0x0000000007ECA000-memory.dmp

Filesize
6.5MB

Download
memory/2296-49-0x0000000002610000-0x0000000002620000-memory.dmp

Filesize
64KB

Download
memory/2296-33-0x0000000005EE0000-0x0000000005EFE000-memory.dmp

Filesize
120KB

Download
memory/2296-34-0x0000000005F10000-0x0000000005F5C000-memory.dmp

Filesize
304KB

Download
memory/2296-35-0x0000000006E90000-0x0000000006EC2000-memory.dmp

Filesize
200KB

Download
memory/4328-13-0x00000000016A0000-0x00000000019EA000-memory.dmp

Filesize
3.3MB

Download
memory/4328-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5028-15-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5028-0-0x0000000000EB0000-0x0000000000F4A000-memory.dmp

Filesize
616KB

Download
memory/5028-6-0x0000000007280000-0x000000000729A000-memory.dmp

Filesize
104KB

Download
memory/5028-8-0x0000000007580000-0x00000000075F6000-memory.dmp

Filesize
472KB

Download
memory/5028-4-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/5028-14-0x0000000005930000-0x0000000005940000-memory.dmp

Filesize
64KB

Download
memory/5028-2-0x0000000005E60000-0x0000000006404000-memory.dmp

Filesize
5.6MB

Download
memory/5028-12-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5028-9-0x0000000009C20000-0x0000000009CBC000-memory.dmp

Filesize
624KB

Download
memory/5028-1-0x00000000749D0000-0x0000000075180000-memory.dmp

Filesize
7.7MB

Download
memory/5028-7-0x00000000072A0000-0x00000000072AC000-memory.dmp

Filesize
48KB

Download
memory/5028-5-0x0000000005AE0000-0x0000000005AEA000-memory.dmp

Filesize
40KB

Download
memory/5028-3-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads