formbook | 76de342da3c560312b0c1159b640949e342f994805ff962c2f95c73054913307

General

Target

IRQ2207799_pdf.exe
Size

467KB
MD5

17a1bd2f314821d2554ff4f486bc763c
SHA1

34b75fa0336143dba8fc2cee895dbd0ffc5914ab
SHA256

d3173c18c350a7fa99867f3ef7c9bf5375a4e1ca7f5706c60d883cb17322491f
SHA512

d05cb5d8d192f78a721f4612830c186a08109c25ed0e6b26d94fee57b22575cd681e0a587ed5fac51a74ba5b670c297e5c880f713a2a138fcbdd58325e5ac1a9
SSDEEP

6144:uGi8Y9MXn1x7YZkDHY0Hi42gcmAdX2SdxWQQCJkVDOuiAQ/40aW5:4MX1x7YZkDHY0Hqm4gzC2Ou0aW5

Score

10^/10

formbook s09m discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s09m

Decoy

briteidea.solutions

laureloil.store

mappr.info

mrcostavendasonline.com

armystart.com

fsztlj.com

crowd-bonus.online

intrinsicvalueventures.com

orbworld.com

implant-dentclinic.store

zibbaceramic.com

sellingmygold.com

careercoachservices.com

onlinecrosslink.com

besremiop.store

clickybuzz.com

metaversogrowth.com

pinoaflower.com

privilegedpeach.com

whxzf.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2800-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2800-19-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2800-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2628-33-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Executes dropped EXE 2 IoCs

pid	Process
2136	ecflmkakn.exe
2800	ecflmkakn.exe

Loads dropped DLL 3 IoCs

pid	Process
2256	IRQ2207799_pdf.exe
2256	IRQ2207799_pdf.exe
2136	ecflmkakn.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2136 set thread context of 2800	2136	ecflmkakn.exe	31
PID 2800 set thread context of 1232	2800	ecflmkakn.exe	21
PID 2800 set thread context of 1232	2800	ecflmkakn.exe	21
PID 2628 set thread context of 1232	2628	rundll32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IRQ2207799_pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecflmkakn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ecflmkakn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2800	ecflmkakn.exe
2800	ecflmkakn.exe
2800	ecflmkakn.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe
2628	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2800	ecflmkakn.exe
2800	ecflmkakn.exe
2800	ecflmkakn.exe
2800	ecflmkakn.exe
2628	rundll32.exe
2628	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	ecflmkakn.exe
Token: SeDebugPrivilege	2628	rundll32.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2256 wrote to memory of 2136	2256	IRQ2207799_pdf.exe	30
PID 2256 wrote to memory of 2136	2256	IRQ2207799_pdf.exe	30
PID 2256 wrote to memory of 2136	2256	IRQ2207799_pdf.exe	30
PID 2256 wrote to memory of 2136	2256	IRQ2207799_pdf.exe	30
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2136 wrote to memory of 2800	2136	ecflmkakn.exe	31
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2800 wrote to memory of 2628	2800	ecflmkakn.exe	32
PID 2628 wrote to memory of 2740	2628	rundll32.exe	33
PID 2628 wrote to memory of 2740	2628	rundll32.exe	33
PID 2628 wrote to memory of 2740	2628	rundll32.exe	33
PID 2628 wrote to memory of 2740	2628	rundll32.exe	33

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1232
- C:\Users\Admin\AppData\Local\Temp\IRQ2207799_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\IRQ2207799_pdf.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2256
- - C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe
    C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe C:\Users\Admin\AppData\Local\Temp\bizrc
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2136
  - - C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe
      C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe C:\Users\Admin\AppData\Local\Temp\bizrc
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe"
        5⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\ecflmkakn.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\bizrc

Filesize
4KB

MD5
96a2151d64fe1482fb48dfde2233b734

SHA1
34596a44a935b2c3af3cfddcdbc3f42a19478df7

SHA256
d62e37a79b03d0218961d58a097085668079890264c4211de72008eda97c10d7

SHA512
991231efe7a1928725696155bfed4ea968a4cbf43fd6b0cc2117e8fade54133c3713cae0353c0ab6e9fd0010d78b64ed9a039ff46fe71ed8d11dca9cc5dc6d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\rnaocrblhyskjl

Filesize
212KB

MD5
29f4f3fb201838f3f6f5b2012b26a778

SHA1
bdc358339f559a48294b907ed863999843392b0f

SHA256
b30bc2794e8a2235304b6cff7a32d054f9cbc96a4877fec9e1221ba3fa3cd30d

SHA512
e206bd6a169182b9a96ab6738094fe5455f31a012552b27baca95f6051a4f3592c91d8cba6a24ff78c0c437651b8d1d51401af8cac40aba09280070683881630

Download Submit
\Users\Admin\AppData\Local\Temp\ecflmkakn.exe

Filesize
114KB

MD5
335f3448a8233ac59e61717a13dc5d9f

SHA1
e9ac4829c76470a6ea0b875d32d000c91a771354

SHA256
c0dec7d411b133eafdd7255c42cc81cd3b2febbee245ad61e40edc2408bddfa7

SHA512
f51f664b2ef1d94994473b659d106a95edb67bf4005a21faac30f364ce721921ae7fe79a704aee984cd6f812c0ab588be6e3ed3c9ba9de6daa260c7eab834815

Download Submit
memory/1232-27-0x0000000006AA0000-0x0000000006C1C000-memory.dmp

Filesize
1.5MB

Download
memory/1232-21-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1232-22-0x0000000006EC0000-0x0000000007059000-memory.dmp

Filesize
1.6MB

Download
memory/1232-28-0x0000000006EC0000-0x0000000007059000-memory.dmp

Filesize
1.6MB

Download
memory/2136-12-0x0000000000110000-0x0000000000112000-memory.dmp

Filesize
8KB

Download
memory/2628-33-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/2628-32-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2628-30-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2628-29-0x0000000000240000-0x000000000024E000-memory.dmp

Filesize
56KB

Download
memory/2800-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-25-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/2800-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2800-20-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2800-17-0x00000000009F0000-0x0000000000CF3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing