formbook | a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7

General

Target

a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
Size

981KB
MD5

249c382387f592eafab7e20a55560280
SHA1

364c13a8ac03c9708d92fa01e5d9d442c94f75dc
SHA256

a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7
SHA512

4c8ff6f05af4967c9d40638c86ea360d9b452d1be86ae6739e9fe36f84e20f7577032d4e32e349a1819777a1af2ce6515356a31533e1f269dbfd18fc86902ad5
SSDEEP

12288:X3/p8sL8kKR0zIYaGzp9t6Mde/l5KCuz65cgOGsLNaYuPjIG4Z6jf:n/p8/pR0EYp9wMdM5Juz6INKPjR4q

Score

10^/10

formbook uu09 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

uu09

Decoy

gnbojjfds.xyz

thepinkpen.net

oclocksl.com

aaaajjjjjffff.com

onlineppl.com

rokomariebook.com

protagonagency.store

brilliant.radio

amaniyaonline.shop

bouqclub.net

mrtranceman.com

mybet88gacor.com

huixua.shop

foundersdao.xyz

pileasures.top

summit-rhode.com

6wwr.top

randombutessential.com

ux-design-courses-85926.bond

domainz.rent

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/2732-27-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2732-28-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/560-34-0x0000000000DD0000-0x0000000000DFF000-memory.dmp	formbook
behavioral2/memory/560-36-0x0000000000DD0000-0x0000000000DFF000-memory.dmp	formbook

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skpye.lnk	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe

Executes dropped EXE 1 IoCs

pid	Process
2276	skpye.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2732 set thread context of 3316	2732	AddInProcess32.exe	57
PID 560 set thread context of 3316	560	rundll32.exe	57

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
4024	PING.EXE
4800	PING.EXE

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
2296	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2992	sype.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe
560	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2732	AddInProcess32.exe
2732	AddInProcess32.exe
2732	AddInProcess32.exe
560	rundll32.exe
560	rundll32.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2296	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2296	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
Token: SeDebugPrivilege	2992	sype.exe
Token: SeDebugPrivilege	2732	AddInProcess32.exe
Token: SeDebugPrivilege	560	rundll32.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 2992	2296	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	97
PID 2296 wrote to memory of 2992	2296	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	97
PID 2296 wrote to memory of 2992	2296	a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe	97
PID 2992 wrote to memory of 4348	2992	sype.exe	99
PID 2992 wrote to memory of 4348	2992	sype.exe	99
PID 2992 wrote to memory of 4348	2992	sype.exe	99
PID 4348 wrote to memory of 4024	4348	cmd.exe	101
PID 4348 wrote to memory of 4024	4348	cmd.exe	101
PID 4348 wrote to memory of 4024	4348	cmd.exe	101
PID 4348 wrote to memory of 4800	4348	cmd.exe	103
PID 4348 wrote to memory of 4800	4348	cmd.exe	103
PID 4348 wrote to memory of 4800	4348	cmd.exe	103
PID 4348 wrote to memory of 2276	4348	cmd.exe	104
PID 4348 wrote to memory of 2276	4348	cmd.exe	104
PID 4348 wrote to memory of 2276	4348	cmd.exe	104
PID 3316 wrote to memory of 560	3316	Explorer.EXE	106
PID 3316 wrote to memory of 560	3316	Explorer.EXE	106
PID 3316 wrote to memory of 560	3316	Explorer.EXE	106
PID 560 wrote to memory of 3936	560	rundll32.exe	107
PID 560 wrote to memory of 3936	560	rundll32.exe	107
PID 560 wrote to memory of 3936	560	rundll32.exe	107

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3316
- C:\Users\Admin\AppData\Local\Temp\a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe
  "C:\Users\Admin\AppData\Local\Temp\a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7.exe"
  2⤵
  - Checks computer location settings
  - Drops startup file
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Users\Admin\AppData\Local\Temp\sype.exe
    "C:\Users\Admin\AppData\Local\Temp\sype.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2992
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd" /c ping 127.0.0.1 -n 10 > nul && copy "C:\Users\Admin\AppData\Local\Temp\sype.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe" && ping 127.0.0.1 -n 10 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe"
      4⤵
      Drops startup file
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:4024
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 127.0.0.1 -n 10
        5⤵
        Runs ping.exe
        
        PID:4800
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe"
        5⤵
        Executes dropped EXE
        
        PID:2276
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
        6⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:560
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
    3⤵
    PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3928 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:1408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\skpye.exe

Filesize
981KB

MD5
249c382387f592eafab7e20a55560280

SHA1
364c13a8ac03c9708d92fa01e5d9d442c94f75dc

SHA256
a40b613bca52ec196d6be4ac375d9076922b41cc4742c15a2ff1137bd6400eb7

SHA512
4c8ff6f05af4967c9d40638c86ea360d9b452d1be86ae6739e9fe36f84e20f7577032d4e32e349a1819777a1af2ce6515356a31533e1f269dbfd18fc86902ad5

Download Submit
memory/560-33-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/560-31-0x0000000000270000-0x0000000000284000-memory.dmp

Filesize
80KB

Download
memory/560-38-0x0000000002D30000-0x0000000002DC3000-memory.dmp

Filesize
588KB

Download
memory/560-36-0x0000000000DD0000-0x0000000000DFF000-memory.dmp

Filesize
188KB

Download
memory/560-35-0x0000000002E50000-0x000000000319A000-memory.dmp

Filesize
3.3MB

Download
memory/560-34-0x0000000000DD0000-0x0000000000DFF000-memory.dmp

Filesize
188KB

Download
memory/2296-9-0x0000000007520000-0x0000000007A4C000-memory.dmp

Filesize
5.2MB

Download
memory/2296-2-0x0000000004CA0000-0x0000000004D3C000-memory.dmp

Filesize
624KB

Download
memory/2296-1-0x00000000006F0000-0x00000000007EC000-memory.dmp

Filesize
1008KB

Download
memory/2296-12-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2296-3-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/2296-4-0x0000000004C90000-0x0000000004CA0000-memory.dmp

Filesize
64KB

Download
memory/2296-5-0x0000000005B20000-0x0000000005B64000-memory.dmp

Filesize
272KB

Download
memory/2296-6-0x0000000005C30000-0x0000000005CC2000-memory.dmp

Filesize
584KB

Download
memory/2296-0-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2296-7-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/2732-29-0x00000000010E0000-0x00000000010F4000-memory.dmp

Filesize
80KB

Download
memory/2732-28-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2732-26-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/2732-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2992-14-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/2992-13-0x00000000055D0000-0x00000000055E0000-memory.dmp

Filesize
64KB

Download
memory/2992-11-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/2992-16-0x0000000074910000-0x00000000750C0000-memory.dmp

Filesize
7.7MB

Download
memory/3316-30-0x0000000008940000-0x0000000008AEB000-memory.dmp

Filesize
1.7MB

Download
memory/3316-39-0x0000000008940000-0x0000000008AEB000-memory.dmp

Filesize
1.7MB

Download
memory/3316-43-0x00000000084D0000-0x00000000085FD000-memory.dmp

Filesize
1.2MB

Download
memory/3316-42-0x00000000084D0000-0x00000000085FD000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing