formbook | 923fb5875b7bbde4321e8e9d4c010aa8851801bb5b099f2db795fa883c9c1e1f

General

Target

Ayu4oCFjm9OnXOp.exe
Size

432KB
MD5

f87c0f240f62b4cca561779d456a119b
SHA1

c56269f25c5c23b2e7061e3b13c3e0c3fd27f7f7
SHA256

d30712d30f67be6cc42c17e78032d44f858ba45aa58c767b756874e25f6938df
SHA512

4ec4be2b361bf4c9c009a6b2c3c4dbe5cc4dec31f17d5507708fa7ce5f704452d03ee97dab6ad0f52e9972c2f919e20d243e9ce945aeeeee09a02ee43e6a649c
SSDEEP

12288:LgQts9tXZ0ybmhFZ9lrzfyXHFD4j5HgXm2ijk:LgBX+Amh791yVs1k

Score

10^/10

formbook ajr discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ajr

Decoy

cokefork.com

sunsabe.com

tactical-milsim.com

johnporcaro.com

quantqubit.com

ehrbar2012.com

dailymoringpages.com

masteronlineteams.com

signocomunicaciones.com

entrepreneur-de-demain.com

eve-echoes-data.com

readingbythewindow.com

quoteshark.net

mundoeconomic.com

bootlegmask.com

sporkedmissoula.com

claricitywealthplanning.net

lyotrade.net

brandtokitchens.com

blackstorymedia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral1/memory/1584-19-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1584-22-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1584-27-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2232 set thread context of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 1584 set thread context of 1220	1584	Ayu4oCFjm9OnXOp.exe	21
PID 1584 set thread context of 1220	1584	Ayu4oCFjm9OnXOp.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ayu4oCFjm9OnXOp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1584	Ayu4oCFjm9OnXOp.exe
1584	Ayu4oCFjm9OnXOp.exe
1584	Ayu4oCFjm9OnXOp.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1584	Ayu4oCFjm9OnXOp.exe
1584	Ayu4oCFjm9OnXOp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1584	Ayu4oCFjm9OnXOp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2620	2232	Ayu4oCFjm9OnXOp.exe	30
PID 2232 wrote to memory of 2620	2232	Ayu4oCFjm9OnXOp.exe	30
PID 2232 wrote to memory of 2620	2232	Ayu4oCFjm9OnXOp.exe	30
PID 2232 wrote to memory of 2620	2232	Ayu4oCFjm9OnXOp.exe	30
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32
PID 2232 wrote to memory of 1584	2232	Ayu4oCFjm9OnXOp.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1220
- C:\Users\Admin\AppData\Local\Temp\Ayu4oCFjm9OnXOp.exe
  "C:\Users\Admin\AppData\Local\Temp\Ayu4oCFjm9OnXOp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\VfaatlT" /XML "C:\Users\Admin\AppData\Local\Temp\tmp49FB.tmp"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2620
- - C:\Users\Admin\AppData\Local\Temp\Ayu4oCFjm9OnXOp.exe
    "C:\Users\Admin\AppData\Local\Temp\Ayu4oCFjm9OnXOp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp49FB.tmp

Filesize
1KB

MD5
2662afacd24f87c0a087f4c7453de98d

SHA1
439e48d307bb7f78224b7659bc0d9e3acc194fa1

SHA256
669222c748c91a6698c1b43b63effd8e19b8447af253af73333b273f18f2a8dc

SHA512
f2da596c4ba5d9d1b64722f1a86663e212674c021475bb824633bf8a24589d1579852f5a53011635ca3db84e15b09d21d069cfac57077f3a5f78402cd159900a

Download Submit
memory/1220-31-0x0000000006760000-0x00000000068A8000-memory.dmp

Filesize
1.3MB

Download
memory/1220-29-0x0000000005050000-0x000000000512D000-memory.dmp

Filesize
884KB

Download
memory/1220-30-0x0000000006760000-0x00000000068A8000-memory.dmp

Filesize
1.3MB

Download
memory/1220-24-0x0000000005050000-0x000000000512D000-memory.dmp

Filesize
884KB

Download
memory/1584-22-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1584-23-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1584-27-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1584-28-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/1584-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1584-19-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1584-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1584-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1584-20-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/2232-6-0x0000000004850000-0x00000000048A6000-memory.dmp

Filesize
344KB

Download
memory/2232-0-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2232-4-0x00000000747CE000-0x00000000747CF000-memory.dmp

Filesize
4KB

Download
memory/2232-25-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-3-0x0000000000440000-0x000000000044A000-memory.dmp

Filesize
40KB

Download
memory/2232-2-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-5-0x00000000747C0000-0x0000000074EAE000-memory.dmp

Filesize
6.9MB

Download
memory/2232-7-0x00000000048E0000-0x0000000004916000-memory.dmp

Filesize
216KB

Download
memory/2232-1-0x0000000000D20000-0x0000000000D92000-memory.dmp

Filesize
456KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads