formbook | 251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87

General

Target

251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
Size

608KB
MD5

0559acbaacfcf93cefd8bcbfd498bfe4
SHA1

26142b0abd1848a4aeb96e63ed74836e5af67823
SHA256

251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87
SHA512

e6ca8522526fcd0875d97ee1a77bcc3d11e78c6b72d7c2332331c59daae2bc2adb32ce6c803ebdaa27d4990575688acc09c6cca09664d419353f6f3ee848bcdd
SSDEEP

12288:yEJwtNcDfRDyLA7sGpEBVgWd/3cN1h89cdQpNIcaiwLjnp+YDj:lHfROLIsGUVD1cTh89BZaiQ7x/

Score

10^/10

formbook ps94 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps94

Decoy

gokorgiboard.com

17tk558f.com

xbtdlz.com

agence-dyf.com

azovtour.com

refreshoutdoors.shop

muyidajs.com

bull007s.autos

huskyacres.net

nryijx628b.xyz

romansotam.com

norlac.xyz

dorsetbusinessforum.com

prpasti.shop

amycostellospeech.com

dpaijvpiajvpin.top

rinabet371.com

corporatebushcraft.com

0755xx.com

wxsjlwkj2019.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/3056-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2452 powershell.exe

resource	yara_rule
behavioral1/memory/3056-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

pid	process
2452	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe

description	pid	process	target process
PID 1320 set thread context of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exepowershell.exe

pid process

3056 251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
2452 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2452 powershell.exe

pid	process
3056	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
2452	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2452	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe

description	pid	process	target process
PID 1320 wrote to memory of 2452	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	powershell.exe
PID 1320 wrote to memory of 2452	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	powershell.exe
PID 1320 wrote to memory of 2452	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	powershell.exe
PID 1320 wrote to memory of 2452	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	powershell.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
PID 1320 wrote to memory of 3056	1320	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe	251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe

C:\Users\Admin\AppData\Local\Temp\251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
"C:\Users\Admin\AppData\Local\Temp\251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1320

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2452

C:\Users\Admin\AppData\Local\Temp\251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe
"C:\Users\Admin\AppData\Local\Temp\251f9b9b5d35ad3ca96da825cea2a7b95f97872a5c6994a9123e203d41093a87.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1320-0-0x000000007491E000-0x000000007491F000-memory.dmp

Filesize
4KB

Download
memory/1320-1-0x0000000000200000-0x000000000029E000-memory.dmp

Filesize
632KB

Download
memory/1320-2-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/1320-3-0x00000000002B0000-0x00000000002C0000-memory.dmp

Filesize
64KB

Download
memory/1320-4-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1320-5-0x0000000002000000-0x0000000002076000-memory.dmp

Filesize
472KB

Download
memory/1320-15-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/3056-12-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/3056-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3056-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3056-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing