formbook | 7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71

General

Target

PO - 04755 .bat.exe
Size

541KB
MD5

37f3b2a7f84422ea9fce13bcc170461b
SHA1

b2d8ac2774b12ffc4412435224398f3909bc8ceb
SHA256

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
SHA512

604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
SSDEEP

12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K

Score

10^/10

formbook 45er execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 2 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2520-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook
behavioral1/memory/3024-29-0x0000000000080000-0x00000000000AF000-memory.dmp formbook
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2568 powershell.exe
2748 powershell.exe
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2880 cmd.exe

resource	yara_rule
behavioral1/memory/2520-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3024-29-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

pid	process
2568	powershell.exe
2748	powershell.exe

pid	process
2880	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO - 04755 .bat.exePO - 04755 .bat.exemsdt.exe

description	pid	process	target process
PID 2036 set thread context of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2520 set thread context of 1200	2520	PO - 04755 .bat.exe	Explorer.EXE
PID 3024 set thread context of 1200	3024	msdt.exe	Explorer.EXE

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2620 schtasks.exe

pid	process
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

PO - 04755 .bat.exePO - 04755 .bat.exepowershell.exepowershell.exemsdt.exe

pid	process
2036	PO - 04755 .bat.exe
2036	PO - 04755 .bat.exe
2036	PO - 04755 .bat.exe
2036	PO - 04755 .bat.exe
2036	PO - 04755 .bat.exe
2036	PO - 04755 .bat.exe
2036	PO - 04755 .bat.exe
2520	PO - 04755 .bat.exe
2520	PO - 04755 .bat.exe
2568	powershell.exe
2748	powershell.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe
3024	msdt.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO - 04755 .bat.exemsdt.exe

pid process

2520 PO - 04755 .bat.exe
2520 PO - 04755 .bat.exe
2520 PO - 04755 .bat.exe
3024 msdt.exe
3024 msdt.exe

pid	process
2520	PO - 04755 .bat.exe
2520	PO - 04755 .bat.exe
2520	PO - 04755 .bat.exe
3024	msdt.exe
3024	msdt.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

PO - 04755 .bat.exePO - 04755 .bat.exepowershell.exepowershell.exemsdt.exe

description	pid	process
Token: SeDebugPrivilege	2036	PO - 04755 .bat.exe
Token: SeDebugPrivilege	2520	PO - 04755 .bat.exe
Token: SeDebugPrivilege	2568	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	3024	msdt.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

PO - 04755 .bat.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 2036 wrote to memory of 2568	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2568	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2568	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2568	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2748	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2748	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2748	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2748	2036	PO - 04755 .bat.exe	powershell.exe
PID 2036 wrote to memory of 2620	2036	PO - 04755 .bat.exe	schtasks.exe
PID 2036 wrote to memory of 2620	2036	PO - 04755 .bat.exe	schtasks.exe
PID 2036 wrote to memory of 2620	2036	PO - 04755 .bat.exe	schtasks.exe
PID 2036 wrote to memory of 2620	2036	PO - 04755 .bat.exe	schtasks.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 2036 wrote to memory of 2520	2036	PO - 04755 .bat.exe	PO - 04755 .bat.exe
PID 1200 wrote to memory of 3024	1200	Explorer.EXE	msdt.exe
PID 1200 wrote to memory of 3024	1200	Explorer.EXE	msdt.exe
PID 1200 wrote to memory of 3024	1200	Explorer.EXE	msdt.exe
PID 1200 wrote to memory of 3024	1200	Explorer.EXE	msdt.exe
PID 3024 wrote to memory of 2880	3024	msdt.exe	cmd.exe
PID 3024 wrote to memory of 2880	3024	msdt.exe	cmd.exe
PID 3024 wrote to memory of 2880	3024	msdt.exe	cmd.exe
PID 3024 wrote to memory of 2880	3024	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe
"C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2568

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iRfUxRRiZtkySe.exe"
3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2748

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRfUxRRiZtkySe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe
"C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1052

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1192

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO - 04755 .bat.exe"
3⤵
- Deletes itself
PID:2880

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp8112.tmp
Filesize
1KB

MD5
d850c2ee81c4aeedbf67f158a6c932d5

SHA1
f51fbfe1e68cb540ee96f8ceb83f508b95512473

SHA256
c5454f9520d84b7bd00232cb831b8baf33c554e93035c242b04119a0fa55bf2a

SHA512
0c7f5d640fba4b14463cecca1214cd339d625adbb7884325575f63f283b1bfb1e386e5556cbed3a27b3de1b3f9eb36b61cfb01b88a5eef5b022c34326433d4b5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize
7KB

MD5
2098c08b79fa37a64cce4476f108bc97

SHA1
97132684986fe5b9daa2d433589160a498c4f916

SHA256
82e1b93f3845980e29acb961a7f3a4bee58f7b2d117e46404143eb645532bae9

SHA512
bfb1d1141c5081228ec2a3a02d0f17e17005503c57b10ce9978b9a41b4beeff5099cedc073f83357b624c281866f3301e42eb81c01ef671aac86876a528d348f

Download Submit
memory/1200-27-0x00000000030F0000-0x00000000031F0000-memory.dmp

Filesize
1024KB

Download
memory/2036-4-0x0000000000330000-0x0000000000340000-memory.dmp

Filesize
64KB

Download
memory/2036-25-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2036-5-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2036-6-0x0000000004A70000-0x0000000004AE6000-memory.dmp

Filesize
472KB

Download
memory/2036-3-0x00000000041A0000-0x000000000422A000-memory.dmp

Filesize
552KB

Download
memory/2036-2-0x0000000073FD0000-0x00000000746BE000-memory.dmp

Filesize
6.9MB

Download
memory/2036-1-0x0000000000120000-0x00000000001AE000-memory.dmp

Filesize
568KB

Download
memory/2036-0-0x0000000073FDE000-0x0000000073FDF000-memory.dmp

Filesize
4KB

Download
memory/2520-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2520-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2520-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3024-28-0x00000000007D0000-0x00000000008C4000-memory.dmp

Filesize
976KB

Download
memory/3024-29-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads