formbook | c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe

General

Target

c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
Size

1.0MB
MD5

f44bc4e0027f0f44d75fed04b8416be2
SHA1

70fffcae8382f82570ec5b8e0389e7378c5db522
SHA256

c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe
SHA512

506d386d7fbd7506930017ba869573bb1e21762c002fb686740ef9cfd906459886fba519486600582f5ab903a958ddfeed81d5df92af6a16c2cc6951e34e9458
SSDEEP

12288:5D9Q6t+p9J/s61NobMm1k4Wcqx9cpwtNHdlIoXcPANAe5WdNH6gsmxhgR6ZdEyGk:yoYck4JqncElfcINPewgsw26ZdxAx87

Score

10^/10

formbook ps94 execution rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ps94

Decoy

gokorgiboard.com

17tk558f.com

xbtdlz.com

agence-dyf.com

azovtour.com

refreshoutdoors.shop

muyidajs.com

bull007s.autos

huskyacres.net

nryijx628b.xyz

romansotam.com

norlac.xyz

dorsetbusinessforum.com

prpasti.shop

amycostellospeech.com

dpaijvpiajvpin.top

rinabet371.com

corporatebushcraft.com

0755xx.com

wxsjlwkj2019.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/3040-13-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2708 powershell.exe

resource	yara_rule
behavioral1/memory/3040-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

pid	process
2708	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe

description	pid	process	target process
PID 1748 set thread context of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exepowershell.exe

pid process

3040 c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
2708 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2708 powershell.exe

pid	process
3040	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
2708	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2708	powershell.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe

description	pid	process	target process
PID 1748 wrote to memory of 2708	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	powershell.exe
PID 1748 wrote to memory of 2708	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	powershell.exe
PID 1748 wrote to memory of 2708	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	powershell.exe
PID 1748 wrote to memory of 2708	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	powershell.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
PID 1748 wrote to memory of 3040	1748	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe	c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe

C:\Users\Admin\AppData\Local\Temp\c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
"C:\Users\Admin\AppData\Local\Temp\c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1748

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe"
2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2708

C:\Users\Admin\AppData\Local\Temp\c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe
"C:\Users\Admin\AppData\Local\Temp\c019951411af4b89614d39e15b69e1798f267c54aebfe7e61852e4626bf00cbe.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3040

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1748-0-0x00000000740EE000-0x00000000740EF000-memory.dmp

Filesize
4KB

Download
memory/1748-1-0x0000000000FB0000-0x00000000010BA000-memory.dmp

Filesize
1.0MB

Download
memory/1748-2-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/1748-3-0x0000000000720000-0x0000000000730000-memory.dmp

Filesize
64KB

Download
memory/1748-4-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/1748-5-0x0000000004860000-0x00000000048D6000-memory.dmp

Filesize
472KB

Download
memory/1748-17-0x00000000740E0000-0x00000000747CE000-memory.dmp

Filesize
6.9MB

Download
memory/3040-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/3040-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3040-14-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing