formbook | ffa6edc1cd151506e2512ac8f3dade5947d26cf25a29e9920f5c41f0a48ca6ed

General

Target

02-016.exe
Size

732KB
MD5

957014bc66c96533ca3cf65a5b355038
SHA1

cedbfdb6bd9d4ee9397d2fe0bfab563b01c9ba2a
SHA256

fdf3aa0df3a0d4a6d053c55b970ad22f71f5db88f2da4f94bc18f1926b731f1b
SHA512

dd3a42758775b0b8cbd53f89dd23d99ae56a76fa4c13abae3e307c5209ec1edf5a070fddafa9bf6174a0243089bab53fe0c9988ae4b4af2f72f42a2d4e089314
SSDEEP

12288:nX6Orlv+6cJ/QlI2eUBvV+klwuimKb0aw1xcA6i5zDJEkcYv2tasGHW:X6O5Lg/XUB9+jPsxJ6i5zDeyutasoW

Score

10^/10

formbook bf3 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bf3

Decoy

ecatcom.com

what3emoji.com

primbathandbody.com

yt-itclub.com

newbieeer.com

getyoursofa.com

mexicanitems.info

catalogcardgames.net

leagueofwomengolfers.com

gvanmp.com

midnightsunhi.com

cnluma.com

sunsetcherrydesigns.com

cosmoproturkey.com

inifinityapps.net

making50masks.com

battalionice.com

uk-calculation.net

frosteatlove.com

bs-mag.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2760-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2760-21-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2908	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2760	1620	02-016.exe	33
PID 2760 set thread context of 1152	2760	02-016.exe	20
PID 3056 set thread context of 1152	3056	cmstp.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	02-016.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2760	02-016.exe
2760	02-016.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe
3056	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2760	02-016.exe
2760	02-016.exe
2760	02-016.exe
3056	cmstp.exe
3056	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	02-016.exe
Token: SeDebugPrivilege	3056	cmstp.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2836	1620	02-016.exe	31
PID 1620 wrote to memory of 2836	1620	02-016.exe	31
PID 1620 wrote to memory of 2836	1620	02-016.exe	31
PID 1620 wrote to memory of 2836	1620	02-016.exe	31
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1620 wrote to memory of 2760	1620	02-016.exe	33
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 1152 wrote to memory of 3056	1152	Explorer.EXE	34
PID 3056 wrote to memory of 2908	3056	cmstp.exe	35
PID 3056 wrote to memory of 2908	3056	cmstp.exe	35
PID 3056 wrote to memory of 2908	3056	cmstp.exe	35
PID 3056 wrote to memory of 2908	3056	cmstp.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\02-016.exe
  "C:\Users\Admin\AppData\Local\Temp\02-016.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1620
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\NPFWxIEmY" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF4CA.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2836
- - C:\Users\Admin\AppData\Local\Temp\02-016.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\02-016.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    PID:2908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpF4CA.tmp

Filesize
1KB

MD5
557f6e144d8d22ff8282a571d686e406

SHA1
ddf406803ff26f64a7d564f3cfb400f225b229d1

SHA256
573e1b4243fcad2d4c3faa555583feb981dd3988e584a4621b3e3e3de2bca767

SHA512
4e984343375365b9267ce65bdd6e9ddb35849936d97c2a888ea7c02c01256d81c4b59a0863046e37e62a1ce0edc2ef8c1d9f7f2549775055f2d487df1abf9dab

Download Submit
memory/1152-26-0x0000000004F20000-0x0000000005066000-memory.dmp

Filesize
1.3MB

Download
memory/1152-23-0x0000000004F20000-0x0000000005066000-memory.dmp

Filesize
1.3MB

Download
memory/1620-5-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-4-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/1620-0-0x00000000743FE000-0x00000000743FF000-memory.dmp

Filesize
4KB

Download
memory/1620-6-0x0000000004D80000-0x0000000004E16000-memory.dmp

Filesize
600KB

Download
memory/1620-3-0x00000000006C0000-0x00000000006C8000-memory.dmp

Filesize
32KB

Download
memory/1620-1-0x0000000000980000-0x0000000000A3E000-memory.dmp

Filesize
760KB

Download
memory/1620-2-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/1620-18-0x00000000743F0000-0x0000000074ADE000-memory.dmp

Filesize
6.9MB

Download
memory/2760-19-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/2760-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2760-22-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/2760-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-21-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2760-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3056-25-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download
memory/3056-24-0x0000000000100000-0x0000000000118000-memory.dmp

Filesize
96KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads