formbook | 4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0

General

Target

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
Size

1.1MB
MD5

db70135e8dbccf549d724c7c78506a10
SHA1

e03021cd4c55f6a3df845611dcafcb9310453c62
SHA256

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0
SHA512

e3762b27bcd8078606583b041d0407e516e0cf9ef351a77db97ad5d1da39c2f6b52d49960d5d249592aab74171104b602fe8a97e1fb1962b27d0aafc961a4f2e
SSDEEP

24576:gAHnh+eWsN3skA4RV1Hom2KXMmHa2pQDQG4aoZcXlj5:Xh+ZkldoPK8Ya2GfRacXv

Score

10^/10

formbook ss63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ss63

Decoy

catpig.xyz

chatladyanzensei7.site

onewayonepaydroptaxi.com

bima188.lol

wealth-km.online

seepao27200.top

6c958u9.lol

fbyu57ytsd.shop

baranetentegre.com

webaichimie.com

h3k38q2.lol

abicomsrl.com

338kp.vip

rescuecube.com

bubatz-t.com

psgluxuryapartments.com

goodfellowlawfirm.com

bais141.com

imingchu.com

ekzeanjfolzaks.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2460-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2460-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1972-20-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exesvchost.exechkdsk.exe

description	pid	process	target process
PID 1708 set thread context of 2460	1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe	svchost.exe
PID 2460 set thread context of 1216	2460	svchost.exe	Explorer.EXE
PID 1972 set thread context of 1216	1972	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

svchost.exechkdsk.exe

pid	process
2460	svchost.exe
2460	svchost.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe
1972	chkdsk.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exesvchost.exechkdsk.exe

pid process

1708 4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
2460 svchost.exe
2460 svchost.exe
2460 svchost.exe
1972 chkdsk.exe
1972 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 2460 svchost.exe
Token: SeDebugPrivilege 1972 chkdsk.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exeExplorer.EXE

pid process

1708 4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
1708 4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe

pid process

1708 4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
1708 4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe

pid	process
1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
2460	svchost.exe
2460	svchost.exe
2460	svchost.exe
1972	chkdsk.exe
1972	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	2460	svchost.exe
Token: SeDebugPrivilege	1972	chkdsk.exe

pid	process
1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 1708 wrote to memory of 2460	1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe	svchost.exe
PID 1708 wrote to memory of 2460	1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe	svchost.exe
PID 1708 wrote to memory of 2460	1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe	svchost.exe
PID 1708 wrote to memory of 2460	1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe	svchost.exe
PID 1708 wrote to memory of 2460	1708	4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe	svchost.exe
PID 1216 wrote to memory of 1972	1216	Explorer.EXE	chkdsk.exe
PID 1216 wrote to memory of 1972	1216	Explorer.EXE	chkdsk.exe
PID 1216 wrote to memory of 1972	1216	Explorer.EXE	chkdsk.exe
PID 1216 wrote to memory of 1972	1216	Explorer.EXE	chkdsk.exe
PID 1972 wrote to memory of 2692	1972	chkdsk.exe	cmd.exe
PID 1972 wrote to memory of 2692	1972	chkdsk.exe	cmd.exe
PID 1972 wrote to memory of 2692	1972	chkdsk.exe	cmd.exe
PID 1972 wrote to memory of 2692	1972	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe
"C:\Users\Admin\AppData\Local\Temp\4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1708

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\4bc87fbfe1c5bc22f4b002a8299d8ca46b8978ce2ca4b6ddaed51234099468a0.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2460

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:2692

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-31-0x0000000006EE0000-0x0000000006FF4000-memory.dmp

Filesize
1.1MB

Download
memory/1216-28-0x0000000006EE0000-0x0000000006FF4000-memory.dmp

Filesize
1.1MB

Download
memory/1216-17-0x0000000006DF0000-0x0000000006EDA000-memory.dmp

Filesize
936KB

Download
memory/1216-27-0x0000000006EE0000-0x0000000006FF4000-memory.dmp

Filesize
1.1MB

Download
memory/1216-14-0x0000000003CB0000-0x0000000003DB0000-memory.dmp

Filesize
1024KB

Download
memory/1216-23-0x0000000006DF0000-0x0000000006EDA000-memory.dmp

Filesize
936KB

Download
memory/1708-10-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/1972-20-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1972-19-0x0000000000A80000-0x0000000000A87000-memory.dmp

Filesize
28KB

Download
memory/1972-18-0x0000000000A80000-0x0000000000A87000-memory.dmp

Filesize
28KB

Download
memory/2460-13-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2460-15-0x0000000000180000-0x0000000000195000-memory.dmp

Filesize
84KB

Download
memory/2460-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2460-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads