formbook | 9cca5ee417bb9929c186dc8c2daa8f645e23fc7b1c32c0cb18fef77ef728c7ca

General

Target

Purchase Order Project No.8873_ECOFIX.exe
Size

101KB
MD5

5b93648ff0ed23f7a77cf8ba1c7dfd29
SHA1

4ab10dc761f140b00a880699b5b71d67d000f4b9
SHA256

9cca5ee417bb9929c186dc8c2daa8f645e23fc7b1c32c0cb18fef77ef728c7ca
SHA512

be2c33e988f20a153e0c922b9458c997ca93e349e7127bc83c95cc45d440dc2734870f862c0f7dede4a81f5fa5ecbf6d006aa65a63a7bbb3d38b42ac90df88af
SSDEEP

1536:n8D9sbgCMGEEEEEEEEEEEbEEzEEEbEEEEEEbEEEEEEbEEEEEEbEEEEEEEbEbE3kK:n8D9sbgCM5M7C34gj7

Score

10^/10

formbook b2du persistence rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b2du

Decoy

jaiesgae.online

rorysmysticrodeo.com

wd-freight.net

nfttwinning.com

yuguomall.com

lobotomizai.com

dermatologist-jobs-62886.bond

laineway.com

epistlesmultimedia.com

135w52st30a.com

kqoik2x6me.asia

murinoreactsrf.online

donnarainslegacy.com

maison-roc.com

majestyjewelss.com

suksesbersama.live

skillpraxis.com

lncnln.top

79iwin.top

rentasmoking.shop

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3628-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3628-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2280-23-0x0000000001280000-0x00000000012AF000-memory.dmp	formbook

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Purchase Order Project No.8873_ECOFIX = "C:\\Users\\Admin\\Documents\\Purchase Order Project No.8873_ECOFIX.pif"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order Project No.8873_ECOFIX.exePurchase Order Project No.8873_ECOFIX.exechkdsk.exe

description	pid	process	target process
PID 3148 set thread context of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3628 set thread context of 3360	3628	Purchase Order Project No.8873_ECOFIX.exe	Explorer.EXE
PID 2280 set thread context of 3360	2280	chkdsk.exe	Explorer.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry
T1012

System Information Discovery
T1082

Processes:

chkdsk.exe

description ioc process

Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier chkdsk.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier	chkdsk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Purchase Order Project No.8873_ECOFIX.exePurchase Order Project No.8873_ECOFIX.exechkdsk.exe

pid	process
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3148	Purchase Order Project No.8873_ECOFIX.exe
3628	Purchase Order Project No.8873_ECOFIX.exe
3628	Purchase Order Project No.8873_ECOFIX.exe
3628	Purchase Order Project No.8873_ECOFIX.exe
3628	Purchase Order Project No.8873_ECOFIX.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe
2280	chkdsk.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Purchase Order Project No.8873_ECOFIX.exechkdsk.exe

pid process

3628 Purchase Order Project No.8873_ECOFIX.exe
3628 Purchase Order Project No.8873_ECOFIX.exe
3628 Purchase Order Project No.8873_ECOFIX.exe
2280 chkdsk.exe
2280 chkdsk.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Purchase Order Project No.8873_ECOFIX.exePurchase Order Project No.8873_ECOFIX.exechkdsk.exe

description pid process

Token: SeDebugPrivilege 3148 Purchase Order Project No.8873_ECOFIX.exe
Token: SeDebugPrivilege 3628 Purchase Order Project No.8873_ECOFIX.exe
Token: SeDebugPrivilege 2280 chkdsk.exe

pid	process
3628	Purchase Order Project No.8873_ECOFIX.exe
3628	Purchase Order Project No.8873_ECOFIX.exe
3628	Purchase Order Project No.8873_ECOFIX.exe
2280	chkdsk.exe
2280	chkdsk.exe

description	pid	process
Token: SeDebugPrivilege	3148	Purchase Order Project No.8873_ECOFIX.exe
Token: SeDebugPrivilege	3628	Purchase Order Project No.8873_ECOFIX.exe
Token: SeDebugPrivilege	2280	chkdsk.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

Purchase Order Project No.8873_ECOFIX.execmd.exeExplorer.EXEchkdsk.exe

description	pid	process	target process
PID 3148 wrote to memory of 1548	3148	Purchase Order Project No.8873_ECOFIX.exe	cmd.exe
PID 3148 wrote to memory of 1548	3148	Purchase Order Project No.8873_ECOFIX.exe	cmd.exe
PID 3148 wrote to memory of 1548	3148	Purchase Order Project No.8873_ECOFIX.exe	cmd.exe
PID 1548 wrote to memory of 556	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 556	1548	cmd.exe	reg.exe
PID 1548 wrote to memory of 556	1548	cmd.exe	reg.exe
PID 3148 wrote to memory of 1828	3148	Purchase Order Project No.8873_ECOFIX.exe	cmd.exe
PID 3148 wrote to memory of 1828	3148	Purchase Order Project No.8873_ECOFIX.exe	cmd.exe
PID 3148 wrote to memory of 1828	3148	Purchase Order Project No.8873_ECOFIX.exe	cmd.exe
PID 3148 wrote to memory of 2764	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 2764	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 2764	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3148 wrote to memory of 3628	3148	Purchase Order Project No.8873_ECOFIX.exe	Purchase Order Project No.8873_ECOFIX.exe
PID 3360 wrote to memory of 2280	3360	Explorer.EXE	chkdsk.exe
PID 3360 wrote to memory of 2280	3360	Explorer.EXE	chkdsk.exe
PID 3360 wrote to memory of 2280	3360	Explorer.EXE	chkdsk.exe
PID 2280 wrote to memory of 4348	2280	chkdsk.exe	cmd.exe
PID 2280 wrote to memory of 4348	2280	chkdsk.exe	cmd.exe
PID 2280 wrote to memory of 4348	2280	chkdsk.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3360

C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3148

C:\Windows\SysWOW64\cmd.exe
cmd /c REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Purchase Order Project No.8873_ECOFIX" /t REG_SZ /F /D "C:\Users\Admin\Documents\Purchase Order Project No.8873_ECOFIX.pif"
3⤵
- Suspicious use of WriteProcessMemory
PID:1548

C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /V "Purchase Order Project No.8873_ECOFIX" /t REG_SZ /F /D "C:\Users\Admin\Documents\Purchase Order Project No.8873_ECOFIX.pif"
4⤵
- Adds Run key to start application
PID:556

C:\Windows\SysWOW64\cmd.exe
cmd /c Copy "C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe" "C:\Users\Admin\Documents\Purchase Order Project No.8873_ECOFIX.pif"
3⤵
PID:1828

C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe"
3⤵
PID:2764

C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\chkdsk.exe
"C:\Windows\SysWOW64\chkdsk.exe"
2⤵
- Suspicious use of SetThreadContext
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2280

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order Project No.8873_ECOFIX.exe"
3⤵
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:4780

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2280-21-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/2280-23-0x0000000001280000-0x00000000012AF000-memory.dmp

Filesize
188KB

Download
memory/2280-22-0x0000000000D50000-0x0000000000D5A000-memory.dmp

Filesize
40KB

Download
memory/3148-6-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/3148-1-0x0000000000110000-0x0000000000130000-memory.dmp

Filesize
128KB

Download
memory/3148-5-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3148-0-0x0000000074DDE000-0x0000000074DDF000-memory.dmp

Filesize
4KB

Download
memory/3148-7-0x0000000006620000-0x0000000006668000-memory.dmp

Filesize
288KB

Download
memory/3148-8-0x0000000005D30000-0x0000000005D4E000-memory.dmp

Filesize
120KB

Download
memory/3148-9-0x00000000068F0000-0x000000000698C000-memory.dmp

Filesize
624KB

Download
memory/3148-10-0x0000000006850000-0x00000000068B6000-memory.dmp

Filesize
408KB

Download
memory/3148-4-0x0000000004BC0000-0x0000000004C36000-memory.dmp

Filesize
472KB

Download
memory/3148-15-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/3148-2-0x0000000005030000-0x00000000055D4000-memory.dmp

Filesize
5.6MB

Download
memory/3148-3-0x0000000004B20000-0x0000000004BB2000-memory.dmp

Filesize
584KB

Download
memory/3360-20-0x00000000034D0000-0x00000000035A2000-memory.dmp

Filesize
840KB

Download
memory/3360-25-0x00000000034D0000-0x00000000035A2000-memory.dmp

Filesize
840KB

Download
memory/3360-28-0x0000000008970000-0x0000000008A63000-memory.dmp

Filesize
972KB

Download
memory/3360-29-0x0000000008970000-0x0000000008A63000-memory.dmp

Filesize
972KB

Download
memory/3360-32-0x0000000008970000-0x0000000008A63000-memory.dmp

Filesize
972KB

Download
memory/3628-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3628-19-0x0000000001380000-0x0000000001395000-memory.dmp

Filesize
84KB

Download
memory/3628-16-0x0000000001830000-0x0000000001B7A000-memory.dmp

Filesize
3.3MB

Download
memory/3628-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads