formbook | 7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71

General

Target

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
Size

541KB
MD5

37f3b2a7f84422ea9fce13bcc170461b
SHA1

b2d8ac2774b12ffc4412435224398f3909bc8ceb
SHA256

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71
SHA512

604aeeaf52c3aaab4e1a46ec2879d7b8e6f68ce0168e2f7ffc4f970b1633a2752959816bde10bbe19946a0ae7a2e9d373979554729fc7ed9366e1c5516b6639a
SSDEEP

12288:YEuIQ8LBZ0BJxONHZZZxa3qBHkKbdUKSaEpkAE5YWOzxRwzPE58bm:XlXBWDxOpxk3qBHkcWgEppEWzxRw458K

Score

10^/10

formbook 45er execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

45er

Decoy

depotpulsa.com

k2bilbao.online

bb4uoficial.com

rwc666.club

us-pservice.cyou

tricegottreats.com

zsystems.pro

qudouyin6.com

sfumaturedamore.net

pcetyy.icu

notbokin.online

beqprod.tech

flipbuilding.com

errormitigationzoo.com

zj5u603.xyz

jezzatravel.com

zmdniavysyi.shop

quinnsteele.com

522334.com

outdoorshopping.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/2480-24-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2668 powershell.exe
2632 powershell.exe

resource	yara_rule
behavioral1/memory/2480-24-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

pid	process
2668	powershell.exe
2632	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe

description	pid	process	target process
PID 1068 set thread context of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2360 schtasks.exe

pid	process
2360	schtasks.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exepowershell.exepowershell.exe

pid	process
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
2480	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
2668	powershell.exe
2632	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exepowershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1068 7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
Token: SeDebugPrivilege 2632 powershell.exe
Token: SeDebugPrivilege 2668 powershell.exe

description	pid	process
Token: SeDebugPrivilege	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe

description	pid	process	target process
PID 1068 wrote to memory of 2668	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2668	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2668	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2668	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2632	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2632	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2632	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2632	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	powershell.exe
PID 1068 wrote to memory of 2360	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	schtasks.exe
PID 1068 wrote to memory of 2360	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	schtasks.exe
PID 1068 wrote to memory of 2360	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	schtasks.exe
PID 1068 wrote to memory of 2360	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	schtasks.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
PID 1068 wrote to memory of 2480	1068	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe	7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe

C:\Users\Admin\AppData\Local\Temp\7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
"C:\Users\Admin\AppData\Local\Temp\7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1068

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2668

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\iRfUxRRiZtkySe.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\iRfUxRRiZtkySe" /XML "C:\Users\Admin\AppData\Local\Temp\tmp63E1.tmp"
2⤵
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Users\Admin\AppData\Local\Temp\7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe
"C:\Users\Admin\AppData\Local\Temp\7cd0f4968e27515f466f0a6e6967dbc9bca2c9b75a9592e38709a2ca884c6d71.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2480

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp63E1.tmp
Filesize
1KB

MD5
5784020506eeb774a5e0c8fb4c6d29f4

SHA1
ba196552bb47779e6cd3b00c6f73108dd220f03c

SHA256
11b7ed758ea1506d20aee7f0fc7618eb20196da345c3a0203a1f8ff197900b3e

SHA512
32d6b789e4584ea3dc8ab72d5a2c1d971c64ffd82564924c701f05e3a340d0198aa6257396ca5c641c77159d53c99cae5973fc27bb06c538615d2168d4b59c04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\25RVJHAJXOOZPOR4ZEVC.temp
Filesize
7KB

MD5
53bd6527922fd6e0022ffd7233d51ca6

SHA1
4b61914bfe9940de693ba4cc02c0598cbe1e39d0

SHA256
b02ece90b5d08e37afe74e8031916a0a290a71bba0dd054e3a31aa59e5a42be6

SHA512
a1b9d2bbdd408a61d090f318ed84d8d8c8c2210c2f2415e63e7c76552f5f5f25390f0ea010301e6c4093ec3ca6243da4a22fa03d3b5e2753a5613a5351083c7b

Download Submit
memory/1068-6-0x00000000010B0000-0x0000000001126000-memory.dmp

Filesize
472KB

Download
memory/1068-3-0x0000000000B40000-0x0000000000BCA000-memory.dmp

Filesize
552KB

Download
memory/1068-4-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1068-5-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1068-0-0x0000000074E2E000-0x0000000074E2F000-memory.dmp

Filesize
4KB

Download
memory/1068-2-0x0000000074E20000-0x000000007550E000-memory.dmp

Filesize
6.9MB

Download
memory/1068-1-0x0000000001270000-0x00000000012FE000-memory.dmp

Filesize
568KB

Download
memory/1068-25-0x0000000074E20000-0x000000007550E000-memory.dmp

Filesize
6.9MB

Download
memory/2480-21-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-24-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2480-23-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2480-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads