formbook | a0592505ea38b395237adc77624c613ca16cb99f296549c6b128b7d8c4e17ecc

General

Target

bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
Size

623KB
MD5

d796106a6798936495f83e5eeb341c90
SHA1

671a5437ce4fe56510909a852916a19eaf983dc6
SHA256

bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e
SHA512

9cbb995f2d32fef68348d0037ea8b6fac98ba86905b96658bf527961ae04f63ce65a23efcb4dee6e6fe8b3f1e5cf77e40221fd92dff925e0a60c2563eac2a7f7
SSDEEP

12288:no8bkVHKTBePSVM+q175iDNDGgYRtUkBpRcRm9SGiJ4if1kC5Lf0Lx06+r/R4sM:no9tKTBZZE75oNyZpRT7oTOe4C6+r/R/

Score

10^/10

formbook jr04 discovery execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr04

Decoy

usatotribu.com

jak-omi.xyz

spacemozaic.pro

fordheritagevauly.com

vinted.beauty

gowebinar4u.com

infinixmediapty.com

dingquanjr.com

vahidblog.com

kgav99q.icu

healtyneck.com

assg3cd.icu

airconditionerworld.site

opinkmflotp.site

mineclicker.net

davidsonfessettlement.com

secured-verification.com

kgwjqaj.icu

subtmv.xyz

auntysocialvintage.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2296-21-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2836	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2052 set thread context of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
2296	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
2836	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
Token: SeDebugPrivilege	2836	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2836	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	29
PID 2052 wrote to memory of 2836	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	29
PID 2052 wrote to memory of 2836	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	29
PID 2052 wrote to memory of 2836	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	29
PID 2052 wrote to memory of 2664	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	31
PID 2052 wrote to memory of 2664	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	31
PID 2052 wrote to memory of 2664	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	31
PID 2052 wrote to memory of 2664	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	31
PID 2052 wrote to memory of 2156	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	33
PID 2052 wrote to memory of 2156	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	33
PID 2052 wrote to memory of 2156	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	33
PID 2052 wrote to memory of 2156	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	33
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34
PID 2052 wrote to memory of 2296	2052	bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe	34

C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
"C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\ruQKqeQx.exe"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2836
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ruQKqeQx" /XML "C:\Users\Admin\AppData\Local\Temp\tmp21A4.tmp"
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:2664
- C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
  "C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe"
  2⤵
  PID:2156
- C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe
  "C:\Users\Admin\AppData\Local\Temp\bb57e60238a1f7954433764a77c251f0b6367120592605b04307bf2d3aec446e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp21A4.tmp

Filesize
1KB

MD5
c6bbec5c254d38280998550723028dbc

SHA1
e745b950dee442742788c03ef1d990e310f94533

SHA256
95cf49c6ec6aa26666a8c4947843993516bc32eed35ff3d4402de332cd16f667

SHA512
8534165b7c3a95a0afca0262a823017dc4ced12d3f85f418e280c54c783e44e78c8c7ff1fb85f1b534b949b7acb4696a89e210935febf2fc7b4859b3fc517fc3

Download Submit
memory/2052-6-0x00000000006A0000-0x00000000006AE000-memory.dmp

Filesize
56KB

Download
memory/2052-1-0x0000000000F50000-0x0000000000FF2000-memory.dmp

Filesize
648KB

Download
memory/2052-3-0x00000000004F0000-0x0000000000510000-memory.dmp

Filesize
128KB

Download
memory/2052-4-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2052-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2052-7-0x0000000004CB0000-0x0000000004D28000-memory.dmp

Filesize
480KB

Download
memory/2052-2-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-15-0x0000000004400000-0x0000000004434000-memory.dmp

Filesize
208KB

Download
memory/2052-22-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2296-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2296-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2296-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads