formbook | 91179c199ca069ef07cb1939aa20cc1ee3c91b4528402a6e3df424da2982b5ca

General

Target

PO 778000 - JPG.exe
Size

338KB
MD5

95913252240e4a65881ed6cc1126be23
SHA1

9e39d022d13736cf732add2ca97f370ce2c9e704
SHA256

77df1a0146ca3b32c884fea68e1c16af0beb5b30876fedb692bed74b6295bad1
SHA512

ea1d233bdad2eab4109d13d45c8220a89c50c6773da142476851b474cb95c26095409688089062bffb1bcdb8e34a520cfeb5e08f82335ecefae144b4fd5e284a
SSDEEP

6144:Q5lz/PsxMKrNPWG5vy6FQXe2D0ZwBmyeBzqgWw22:AVIpVpq6R2wZwBmGg3

Score

10^/10

formbook c206 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

c206

Decoy

dlpglobal.com

czxpkj.com

gogreencourier.com

ageinplacetechnology.net

xn--dpqw2zqs4aydk.com

kj-gadgetsandgizmos.store

conrak.net

gzmeike.com

emcharlesco.com

dreamroomsoft.com

ctemplar.life

oleum.gmbh

memesthingsandeatingclean.com

0e9eighthell.men

joquinncpa.com

thebiscuitfloaters.com

boulderebeetles.com

vikaspharmacy.com

jxfbet2018.info

mysexproblemhelper.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/5700-10032-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/5700-10037-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Loads dropped DLL 3 IoCs

Processes:

PO 778000 - JPG.exe

pid process

756 PO 778000 - JPG.exe
756 PO 778000 - JPG.exe
756 PO 778000 - JPG.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.exesystray.exe

description	pid	process	target process
PID 5700 set thread context of 1380	5700	cmd.exe	Explorer.EXE
PID 5800 set thread context of 1380	5800	systray.exe	Explorer.EXE

Drops file in Windows directory 1 IoCs

Processes:

PO 778000 - JPG.exe

description ioc process

File opened for modification C:\Windows\win.ini PO 778000 - JPG.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File opened for modification	C:\Windows\win.ini	PO 778000 - JPG.exe

Modifies registry class 2 IoCs

Processes:

PO 778000 - JPG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\	PO 778000 - JPG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\VLC.backup	PO 778000 - JPG.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

PO 778000 - JPG.execmd.exesystray.exe

pid	process
756	PO 778000 - JPG.exe
756	PO 778000 - JPG.exe
5700	cmd.exe
5700	cmd.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe
5800	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO 778000 - JPG.execmd.exesystray.exe

pid process

756 PO 778000 - JPG.exe
5700 cmd.exe
5700 cmd.exe
5700 cmd.exe
5800 systray.exe
5800 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exesystray.exe

description pid process

Token: SeDebugPrivilege 5700 cmd.exe
Token: SeDebugPrivilege 5800 systray.exe

description	pid	process
Token: SeDebugPrivilege	5700	cmd.exe
Token: SeDebugPrivilege	5800	systray.exe

Suspicious use of WriteProcessMemory 42 IoCs

Processes:

PO 778000 - JPG.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 756 wrote to memory of 5700	756	PO 778000 - JPG.exe	cmd.exe
PID 1380 wrote to memory of 5800	1380	Explorer.EXE	systray.exe
PID 1380 wrote to memory of 5800	1380	Explorer.EXE	systray.exe
PID 1380 wrote to memory of 5800	1380	Explorer.EXE	systray.exe
PID 1380 wrote to memory of 5800	1380	Explorer.EXE	systray.exe
PID 5800 wrote to memory of 5844	5800	systray.exe	cmd.exe
PID 5800 wrote to memory of 5844	5800	systray.exe	cmd.exe
PID 5800 wrote to memory of 5844	5800	systray.exe	cmd.exe
PID 5800 wrote to memory of 5844	5800	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1380
- C:\Users\Admin\AppData\Local\Temp\PO 778000 - JPG.exe
  "C:\Users\Admin\AppData\Local\Temp\PO 778000 - JPG.exe"
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:5700
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5800
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\SysWOW64\cmd.exe"
    3⤵
    PID:5844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
517B

MD5
893cae59ab5945a94a7da007d47a1255

SHA1
d4cfd81c6647ca64022bd307c08a7fb4bbbd4c06

SHA256
edfa0f2d3bea9f737e0315971c6f81d3d8e7d460b60a19351ada0316a093c938

SHA512
d66e454781f54f45df814ad32d687b0f100578c2a4ffca62de81add04281fb881a550702bd2d058933d3736d14e88624af268a86ce24b0c3935242b206ffdcc9

Download Submit
\Users\Admin\AppData\Local\Temp\luciferase.dll

Filesize
92KB

MD5
696e0a3df2927dde205b3d1894677e1e

SHA1
b10d49e4c2809e4ea9f814fd6a0a311dad62fbe8

SHA256
936babd677d69c25715d1ee19c66c18d33ff439a329c5476d59af2d54ba79bd2

SHA512
e688abb18745843b2ee018eccfc3de0fc58eb3df39a993a2f825725739862b93950ca2f164f0734e72d64b64f94720746eff4bb6d2c8cc81eb91abeacacc63d9

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\UserInfo.dll

Filesize
4KB

MD5
9eb662f3b5fbda28bffe020e0ab40519

SHA1
0bd28183a9d8dbb98afbcf100fb1f4f6c5fc6c41

SHA256
9aa388c7de8e96885adcb4325af871b470ac50edb60d4b0d876ad43f5332ffd1

SHA512
6c36f7b45efe792c21d8a87d03e63a4b641169fad6d014db1e7d15badd0e283144d746d888232d6123b551612173b2bb42bf05f16e3129b625f5ddba4134b5b8

Download Submit
\Users\Admin\AppData\Local\Temp\nsiDC7.tmp\vivo.dll

Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
memory/756-10030-0x00000000004A0000-0x00000000004C1000-memory.dmp

Filesize
132KB

Download
memory/756-22-0x00000000003F0000-0x00000000003F7000-memory.dmp

Filesize
28KB

Download
memory/756-46-0x0000000000310000-0x0000000000314000-memory.dmp

Filesize
16KB

Download
memory/756-47-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1380-10038-0x0000000004120000-0x00000000041DB000-memory.dmp

Filesize
748KB

Download
memory/1380-10036-0x0000000002F40000-0x0000000003040000-memory.dmp

Filesize
1024KB

Download
memory/1380-10044-0x0000000004120000-0x00000000041DB000-memory.dmp

Filesize
748KB

Download
memory/5700-10032-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5700-10034-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/5700-10037-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5700-10035-0x0000000000460000-0x0000000000474000-memory.dmp

Filesize
80KB

Download
memory/5700-10031-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/5700-10039-0x0000000000090000-0x0000000000096000-memory.dmp

Filesize
24KB

Download
memory/5800-10042-0x0000000000810000-0x0000000000815000-memory.dmp

Filesize
20KB

Download
memory/5800-10040-0x0000000000810000-0x0000000000815000-memory.dmp

Filesize
20KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads