formbook | 1129fe21c10584db13d4938057daaf0902ade1e86f777d5a3f60385cf84c43cd

General

Target

f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe
Size

804KB
MD5

5caf11e8152e62b0390dfb238cf334fd
SHA1

1c421dfe825cd736208eba05e1f97949e1c31cb2
SHA256

f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0
SHA512

c5a0932c8fe7d3f60ccfd51951befe9513fa78fae65bb60b7494205713dbaa05e0cfd43d76aac3eb1f47cf73a2e8c66e51e9052dfefaa39a3af175de536d7f13
SSDEEP

12288:GstXkJgxtAg3ulQ882gHDrvWecYYx/vH4+WOuJuHO49NiaFmyVSJr6Wz:Gza3Ag3QQ88NjrvgDvXWluHn9NzC6o

Score

10^/10

formbook gy14 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2596-19-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2596-25-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2784-35-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook
behavioral1/memory/2784-37-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exeRegSvcs.execontrol.exe

description	pid	process	target process
PID 3028 set thread context of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 2596 set thread context of 1200	2596	RegSvcs.exe	Explorer.EXE
PID 2784 set thread context of 1200	2784	control.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2600 schtasks.exe

pid	process
2600	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

RegSvcs.exepowershell.execontrol.exe

pid	process
2596	RegSvcs.exe
2596	RegSvcs.exe
1168	powershell.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe
2784	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegSvcs.execontrol.exe

pid process

2596 RegSvcs.exe
2596 RegSvcs.exe
2596 RegSvcs.exe
2784 control.exe
2784 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RegSvcs.exepowershell.execontrol.exe

description pid process

Token: SeDebugPrivilege 2596 RegSvcs.exe
Token: SeDebugPrivilege 1168 powershell.exe
Token: SeDebugPrivilege 2784 control.exe

description	pid	process
Token: SeDebugPrivilege	2596	RegSvcs.exe
Token: SeDebugPrivilege	1168	powershell.exe
Token: SeDebugPrivilege	2784	control.exe

Suspicious use of WriteProcessMemory 26 IoCs

Processes:

f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3028 wrote to memory of 1168	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	powershell.exe
PID 3028 wrote to memory of 1168	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	powershell.exe
PID 3028 wrote to memory of 1168	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	powershell.exe
PID 3028 wrote to memory of 1168	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	powershell.exe
PID 3028 wrote to memory of 2600	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	schtasks.exe
PID 3028 wrote to memory of 2600	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	schtasks.exe
PID 3028 wrote to memory of 2600	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	schtasks.exe
PID 3028 wrote to memory of 2600	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	schtasks.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 3028 wrote to memory of 2596	3028	f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe	RegSvcs.exe
PID 1200 wrote to memory of 2784	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 2784	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 2784	1200	Explorer.EXE	control.exe
PID 1200 wrote to memory of 2784	1200	Explorer.EXE	control.exe
PID 2784 wrote to memory of 1408	2784	control.exe	cmd.exe
PID 2784 wrote to memory of 1408	2784	control.exe	cmd.exe
PID 2784 wrote to memory of 1408	2784	control.exe	cmd.exe
PID 2784 wrote to memory of 1408	2784	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe
"C:\Users\Admin\AppData\Local\Temp\f0164ec8c236a65046db19bb07dc24d20c7785bf1adc0823d89b568164dae9b0.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\leoCGEUNoE.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1168

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\leoCGEUNoE" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp"
3⤵
- Creates scheduled task(s)
PID:2600

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:1408

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Scheduled Task/Job

1

T1053

Privilege Escalation

Scheduled Task/Job

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp5ABD.tmp
Filesize
1KB

MD5
7dd2f0769adb44afe8bbf5865ff4e1f8

SHA1
cd44c783de985dfcccc0d74da75d7de7c054054d

SHA256
e6ae9a0d5792d180cfe1d50aa8a2503ddf39c2aceb35b36385205e854c447434

SHA512
a9771ae8feb4cd0bac82c218e5c6ae62a1a61d9c97dd0321139445605ddfbd585a8b629fab7c33ea8a225feecfef9b5e7135cfeeccae22634965a6cc1c59a15d

Download Submit
memory/1168-31-0x0000000002AD0000-0x0000000002B10000-memory.dmp

Filesize
256KB

Download
memory/1168-23-0x000000006EFE0000-0x000000006F58B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-24-0x000000006EFE0000-0x000000006F58B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-32-0x000000006EFE0000-0x000000006F58B000-memory.dmp

Filesize
5.7MB

Download
memory/1168-26-0x0000000002AD0000-0x0000000002B10000-memory.dmp

Filesize
256KB

Download
memory/1168-29-0x0000000002AD0000-0x0000000002B10000-memory.dmp

Filesize
256KB

Download
memory/1200-22-0x0000000003150000-0x0000000003250000-memory.dmp

Filesize
1024KB

Download
memory/1200-28-0x00000000050E0000-0x0000000005242000-memory.dmp

Filesize
1.4MB

Download
memory/2596-30-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download
memory/2596-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2596-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-27-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/2596-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2596-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2784-33-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/2784-37-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/2784-40-0x0000000000600000-0x0000000000694000-memory.dmp

Filesize
592KB

Download
memory/2784-36-0x0000000002000000-0x0000000002303000-memory.dmp

Filesize
3.0MB

Download
memory/2784-35-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/2784-34-0x0000000000080000-0x000000000009F000-memory.dmp

Filesize
124KB

Download
memory/3028-1-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-5-0x0000000004DC0000-0x0000000004E2E000-memory.dmp

Filesize
440KB

Download
memory/3028-0-0x00000000003B0000-0x0000000000480000-memory.dmp

Filesize
832KB

Download
memory/3028-2-0x0000000001E90000-0x0000000001ED0000-memory.dmp

Filesize
256KB

Download
memory/3028-4-0x0000000000830000-0x000000000083E000-memory.dmp

Filesize
56KB

Download
memory/3028-20-0x0000000074BB0000-0x000000007529E000-memory.dmp

Filesize
6.9MB

Download
memory/3028-3-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads