formbook | 61e2a9db8f357380b18ba1017f2ae52d656d2c5f4de8851e244566b8c986d88a

General

Target

order 4502657678.exe
Size

789KB
MD5

82df9d1ee9b303d453a7ea91d5f574e2
SHA1

4b121f046e002ac5e2fbeec21079f6fd4c55d370
SHA256

61e2a9db8f357380b18ba1017f2ae52d656d2c5f4de8851e244566b8c986d88a
SHA512

d685fcd4d408f7421d9546ad82435b555563fddd698e3fc5499204935b0556f7bbf2156c1a60f49cdbdee2a289d122405992cfd0b63a1d59b05b4b545471270c
SSDEEP

12288:2uOpmBwGXjdX32ogZ+g/yHgtK+CVIN5X9yKBg7vjlRziln:ZOpmB3XZnMZ4goi39yKe/DA

Score

10^/10

formbook ij84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ij84

Decoy

resetter.xyz

simonbelanger.me

kwip.xyz

7dbb9.baby

notion-everyday.com

saftiwall.com

pulse-gaming.com

fafafa1.shop

ihaveahole.com

sxtzzj.com

996688x.xyz

komalili.monster

haberdashere.store

nurselifegng.com

kidtryz.com

ghvx.xyz

1minvideopro.com

hidef.group

stylishbeststyler.space

spx21.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1904-33-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1904-37-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2000-43-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2000-45-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Drops startup file 3 IoCs

Processes:

order 4502657678.execmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\purches order.lnk	order 4502657678.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

purches order.exe

pid process

968 purches order.exe
Loads dropped DLL 2 IoCs

Processes:

cmd.exe

pid process

2664 cmd.exe
2664 cmd.exe

pid	process
968	purches order.exe

pid	process
2664	cmd.exe
2664	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

purches order.exeAddInProcess32.exeraserver.exe

description	pid	process	target process
PID 968 set thread context of 1904	968	purches order.exe	AddInProcess32.exe
PID 1904 set thread context of 1264	1904	AddInProcess32.exe	Explorer.EXE
PID 2000 set thread context of 1264	2000	raserver.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

2632 PING.EXE
2496 PING.EXE

pid	process
2632	PING.EXE
2496	PING.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

order 4502657678.exeghedgegehe.exepurches order.exeAddInProcess32.exeraserver.exe

pid	process
2504	order 4502657678.exe
2612	ghedgegehe.exe
2612	ghedgegehe.exe
2612	ghedgegehe.exe
2612	ghedgegehe.exe
968	purches order.exe
968	purches order.exe
1904	AddInProcess32.exe
1904	AddInProcess32.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe
2000	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

AddInProcess32.exeraserver.exe

pid process

1904 AddInProcess32.exe
1904 AddInProcess32.exe
1904 AddInProcess32.exe
2000 raserver.exe
2000 raserver.exe
Suspicious behavior: RenamesItself 1 IoCs

Processes:

order 4502657678.exe

pid process

2504 order 4502657678.exe

pid	process
1904	AddInProcess32.exe
1904	AddInProcess32.exe
1904	AddInProcess32.exe
2000	raserver.exe
2000	raserver.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

order 4502657678.exeghedgegehe.exepurches order.exeAddInProcess32.exeraserver.exe

description	pid	process
Token: SeDebugPrivilege	2504	order 4502657678.exe
Token: SeDebugPrivilege	2612	ghedgegehe.exe
Token: SeDebugPrivilege	968	purches order.exe
Token: SeDebugPrivilege	1904	AddInProcess32.exe
Token: SeDebugPrivilege	2000	raserver.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

order 4502657678.exeghedgegehe.execmd.exepurches order.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2504 wrote to memory of 2612	2504	order 4502657678.exe	ghedgegehe.exe
PID 2504 wrote to memory of 2612	2504	order 4502657678.exe	ghedgegehe.exe
PID 2504 wrote to memory of 2612	2504	order 4502657678.exe	ghedgegehe.exe
PID 2504 wrote to memory of 2612	2504	order 4502657678.exe	ghedgegehe.exe
PID 2612 wrote to memory of 2664	2612	ghedgegehe.exe	cmd.exe
PID 2612 wrote to memory of 2664	2612	ghedgegehe.exe	cmd.exe
PID 2612 wrote to memory of 2664	2612	ghedgegehe.exe	cmd.exe
PID 2612 wrote to memory of 2664	2612	ghedgegehe.exe	cmd.exe
PID 2664 wrote to memory of 2632	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2632	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2632	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2632	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2496	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2496	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2496	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 2496	2664	cmd.exe	PING.EXE
PID 2664 wrote to memory of 968	2664	cmd.exe	purches order.exe
PID 2664 wrote to memory of 968	2664	cmd.exe	purches order.exe
PID 2664 wrote to memory of 968	2664	cmd.exe	purches order.exe
PID 2664 wrote to memory of 968	2664	cmd.exe	purches order.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 968 wrote to memory of 1904	968	purches order.exe	AddInProcess32.exe
PID 1264 wrote to memory of 2000	1264	Explorer.EXE	raserver.exe
PID 1264 wrote to memory of 2000	1264	Explorer.EXE	raserver.exe
PID 1264 wrote to memory of 2000	1264	Explorer.EXE	raserver.exe
PID 1264 wrote to memory of 2000	1264	Explorer.EXE	raserver.exe
PID 2000 wrote to memory of 1924	2000	raserver.exe	cmd.exe
PID 2000 wrote to memory of 1924	2000	raserver.exe	cmd.exe
PID 2000 wrote to memory of 1924	2000	raserver.exe	cmd.exe
PID 2000 wrote to memory of 1924	2000	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\order 4502657678.exe
"C:\Users\Admin\AppData\Local\Temp\order 4502657678.exe"
2⤵
- Drops startup file
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504

C:\Users\Admin\AppData\Local\Temp\ghedgegehe.exe
"C:\Users\Admin\AppData\Local\Temp\ghedgegehe.exe"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
"cmd" /c ping 127.0.0.1 -n 13 > nul && copy "C:\Users\Admin\AppData\Local\Temp\ghedgegehe.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe" && ping 127.0.0.1 -n 13 > nul && "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe"
4⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
5⤵
- Runs ping.exe
PID:2632

C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 13
5⤵
- Runs ping.exe
PID:2496

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
6⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AddInProcess32.exe"
3⤵
PID:1924

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\skype\purches order.exe
Filesize
789KB

MD5
82df9d1ee9b303d453a7ea91d5f574e2

SHA1
4b121f046e002ac5e2fbeec21079f6fd4c55d370

SHA256
61e2a9db8f357380b18ba1017f2ae52d656d2c5f4de8851e244566b8c986d88a

SHA512
d685fcd4d408f7421d9546ad82435b555563fddd698e3fc5499204935b0556f7bbf2156c1a60f49cdbdee2a289d122405992cfd0b63a1d59b05b4b545471270c

Download Submit
memory/968-21-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/968-34-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/968-32-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/968-31-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/968-30-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/968-24-0x0000000001ED0000-0x0000000001ED6000-memory.dmp

Filesize
24KB

Download
memory/968-23-0x0000000002070000-0x000000000208A000-memory.dmp

Filesize
104KB

Download
memory/968-22-0x0000000004990000-0x00000000049D0000-memory.dmp

Filesize
256KB

Download
memory/968-20-0x0000000000820000-0x00000000008EC000-memory.dmp

Filesize
816KB

Download
memory/968-19-0x0000000073F40000-0x000000007462E000-memory.dmp

Filesize
6.9MB

Download
memory/1264-38-0x0000000004BB0000-0x0000000004CB0000-memory.dmp

Filesize
1024KB

Download
memory/1264-40-0x00000000061A0000-0x00000000062BE000-memory.dmp

Filesize
1.1MB

Download
memory/1264-48-0x00000000061A0000-0x00000000062BE000-memory.dmp

Filesize
1.1MB

Download
memory/1904-39-0x0000000000130000-0x0000000000144000-memory.dmp

Filesize
80KB

Download
memory/1904-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-27-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-29-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1904-25-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-37-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-35-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/2000-43-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2000-44-0x0000000002130000-0x0000000002433000-memory.dmp

Filesize
3.0MB

Download
memory/2000-46-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2000-45-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2000-42-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/2000-41-0x00000000003F0000-0x000000000040C000-memory.dmp

Filesize
112KB

Download
memory/2504-3-0x0000000002020000-0x0000000002064000-memory.dmp

Filesize
272KB

Download
memory/2504-5-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-1-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2504-0-0x00000000009C0000-0x0000000000A8C000-memory.dmp

Filesize
816KB

Download
memory/2504-2-0x0000000004C80000-0x0000000004CC0000-memory.dmp

Filesize
256KB

Download
memory/2612-8-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-6-0x0000000073F20000-0x000000007460E000-memory.dmp

Filesize
6.9MB

Download
memory/2612-7-0x0000000004930000-0x0000000004970000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads