formbook | 151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4

General

Target

151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe
Size

562KB
MD5

84144b6048277290bb6eb647bbc5ad2a
SHA1

609a26e95e4b343bfb47ab51bdd68ef9a8ef791f
SHA256

151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4
SHA512

792f0c22ed8aef3766f773f4c49698e9d2d2678191c98493e83076fa90dc8a83d67cdd00fe46d7409b4eeb1539c542cd0219b4b9121d45ecbb0ec0ac3bd94baa
SSDEEP

12288:R+vLWa44/RYO83ksdpiVRkvZU08wvzTIVodNgvBqk0WFLehfK2iE3LKvmbrJ:E44/Ky7MN7LT4vBqkle1FPbKSd

Score

10^/10

formbook gy14 persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy14

Decoy

mavbam.com

theanhedonia.com

budgetnurseries.com

buflitr.com

alqamarhotel.com

2660348.top

123bu6.shop

v72999.com

yzyz841.xyz

247fracing.com

naples.beauty

twinklethrive.com

loscaseros.com

creditspisatylegko.site

sgyy3ej2dgwesb5.com

ufocafe.net

techn9nehollywoodundead.com

truedatalab.com

alterdpxlmarketing.com

harborspringsfire.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2560-34-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2560-38-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2560-44-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2792-49-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	wlanext.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\JTH0NRUHVFE = "C:\\Program Files (x86)\\Windows Mail\\wab.exe"	wlanext.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exewab.exewlanext.exe

description	pid	process	target process
PID 2040 set thread context of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2560 set thread context of 1208	2560	wab.exe	Explorer.EXE
PID 2560 set thread context of 1208	2560	wab.exe	Explorer.EXE
PID 2792 set thread context of 1208	2792	wlanext.exe	Explorer.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

wlanext.exe

description	ioc	process
Key created	\Registry\User\S-1-5-21-2248906074-2862704502-246302768-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	wlanext.exe

Runs regedit.exe 1 IoCs

Processes:

regedit.exe

pid process

2664 regedit.exe

pid	process
2664	regedit.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

wab.exewlanext.exe

pid	process
2560	wab.exe
2560	wab.exe
2560	wab.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe
2792	wlanext.exe

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

wab.exewlanext.exe

pid process

2560 wab.exe
2560 wab.exe
2560 wab.exe
2560 wab.exe
2792 wlanext.exe
2792 wlanext.exe
2792 wlanext.exe
2792 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wab.exewlanext.exe

description pid process

Token: SeDebugPrivilege 2560 wab.exe
Token: SeDebugPrivilege 2792 wlanext.exe

description	pid	process
Token: SeDebugPrivilege	2560	wab.exe
Token: SeDebugPrivilege	2792	wlanext.exe

Suspicious use of WriteProcessMemory 56 IoCs

Processes:

151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 2040 wrote to memory of 2524	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	calc.exe
PID 2040 wrote to memory of 2524	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	calc.exe
PID 2040 wrote to memory of 2524	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	calc.exe
PID 2040 wrote to memory of 2524	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	calc.exe
PID 2040 wrote to memory of 2524	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	calc.exe
PID 2040 wrote to memory of 2964	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	cmd.exe
PID 2040 wrote to memory of 2964	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	cmd.exe
PID 2040 wrote to memory of 2964	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	cmd.exe
PID 2040 wrote to memory of 2964	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	cmd.exe
PID 2040 wrote to memory of 2964	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	cmd.exe
PID 2040 wrote to memory of 2588	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	aspnet_wp.exe
PID 2040 wrote to memory of 2588	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	aspnet_wp.exe
PID 2040 wrote to memory of 2588	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	aspnet_wp.exe
PID 2040 wrote to memory of 2588	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	aspnet_wp.exe
PID 2040 wrote to memory of 2588	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	aspnet_wp.exe
PID 2040 wrote to memory of 2588	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	aspnet_wp.exe
PID 2040 wrote to memory of 2652	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	csc.exe
PID 2040 wrote to memory of 2652	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	csc.exe
PID 2040 wrote to memory of 2652	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	csc.exe
PID 2040 wrote to memory of 2652	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	csc.exe
PID 2040 wrote to memory of 2664	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	regedit.exe
PID 2040 wrote to memory of 2664	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	regedit.exe
PID 2040 wrote to memory of 2664	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	regedit.exe
PID 2040 wrote to memory of 2664	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	regedit.exe
PID 2040 wrote to memory of 2664	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	regedit.exe
PID 2040 wrote to memory of 2276	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	ngen.exe
PID 2040 wrote to memory of 2276	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	ngen.exe
PID 2040 wrote to memory of 2276	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	ngen.exe
PID 2040 wrote to memory of 2276	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	ngen.exe
PID 2040 wrote to memory of 2276	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	ngen.exe
PID 2040 wrote to memory of 2276	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	ngen.exe
PID 2040 wrote to memory of 2452	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	svchost.exe
PID 2040 wrote to memory of 2452	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	svchost.exe
PID 2040 wrote to memory of 2452	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	svchost.exe
PID 2040 wrote to memory of 2452	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	svchost.exe
PID 2040 wrote to memory of 2452	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	svchost.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2560	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2780	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2780	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2780	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 2040 wrote to memory of 2780	2040	151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe	wab.exe
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	wlanext.exe
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	wlanext.exe
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	wlanext.exe
PID 1208 wrote to memory of 2792	1208	Explorer.EXE	wlanext.exe
PID 2792 wrote to memory of 2324	2792	wlanext.exe	Firefox.exe
PID 2792 wrote to memory of 2324	2792	wlanext.exe	Firefox.exe
PID 2792 wrote to memory of 2324	2792	wlanext.exe	Firefox.exe
PID 2792 wrote to memory of 2324	2792	wlanext.exe	Firefox.exe
PID 2792 wrote to memory of 2324	2792	wlanext.exe	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe
"C:\Users\Admin\AppData\Local\Temp\151bfa7336a9c96e65bf8a0eeb54a3d34665e612c8c5b3a7886f16a6f58277c4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2040

C:\Windows\System32\calc.exe
"C:\Windows\System32\calc.exe"
3⤵
PID:2524

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
3⤵
PID:2964

C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
3⤵
PID:2588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:2652

C:\Windows\regedit.exe
"C:\Windows\regedit.exe"
3⤵
- Runs regedit.exe
PID:2664

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
3⤵
PID:2276

C:\Windows\System32\svchost.exe
"C:\Windows\System32\svchost.exe"
3⤵
PID:2452

C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2560

C:\Program Files (x86)\Windows Mail\wab.exe
"C:\Program Files (x86)\Windows Mail\wab.exe"
3⤵
PID:2780

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2460

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2476

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2496

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2516

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2564

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2892

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2940

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2712

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2032

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2264

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2908

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:768

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1904

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1448

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1596

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2432

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2692

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2728

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2544

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2748

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2772

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2744

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2752

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Adds policy Run key to start application
- Suspicious use of SetThreadContext
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:2324

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-40-0x0000000003070000-0x0000000003170000-memory.dmp

Filesize
1024KB

Download
memory/1208-58-0x0000000006C10000-0x0000000006D85000-memory.dmp

Filesize
1.5MB

Download
memory/1208-55-0x00000000052E0000-0x00000000053FB000-memory.dmp

Filesize
1.1MB

Download
memory/1208-46-0x0000000006C10000-0x0000000006D85000-memory.dmp

Filesize
1.5MB

Download
memory/1208-41-0x00000000052E0000-0x00000000053FB000-memory.dmp

Filesize
1.1MB

Download
memory/2040-1-0x0000000000DC0000-0x0000000000DCC000-memory.dmp

Filesize
48KB

Download
memory/2040-2-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2040-3-0x0000000000230000-0x0000000000236000-memory.dmp

Filesize
24KB

Download
memory/2040-4-0x0000000000D10000-0x0000000000D96000-memory.dmp

Filesize
536KB

Download
memory/2040-0-0x000007FEF5283000-0x000007FEF5284000-memory.dmp

Filesize
4KB

Download
memory/2040-35-0x000007FEF5280000-0x000007FEF5C6C000-memory.dmp

Filesize
9.9MB

Download
memory/2524-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2524-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-38-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-39-0x0000000000190000-0x00000000001A5000-memory.dmp

Filesize
84KB

Download
memory/2560-36-0x0000000000A10000-0x0000000000D13000-memory.dmp

Filesize
3.0MB

Download
memory/2560-33-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2560-45-0x0000000000220000-0x0000000000235000-memory.dmp

Filesize
84KB

Download
memory/2560-44-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2560-34-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-48-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/2792-47-0x0000000000B10000-0x0000000000B26000-memory.dmp

Filesize
88KB

Download
memory/2792-49-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads