formbook | 20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9

General

Target

INVOICE_#24.exe
Size

396KB
MD5

15fc2ccb48e28c2001728c3b92022e3b
SHA1

4745737dde241e42470a73303778e2ba37a6e761
SHA256

20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
SHA512

e8d8d642ea33c26a6b54346a3819803fa6be37188a9fb25c33a96ff7696af5fb1c77f2de0e4bc4f26255c301b7324ea80a60c7b06e35c372a02845a306656d1b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.govaj.com/bd2/

Decoy

coffeeflyer.com

joy-cars.com

excp0st.com

pancakesandprotein.com

teenboys.info

theperfectgiftshop.net

maomao2017.com

musiclabtacoma.com

taskrit.com

pthjxx.com

114man.com

worldsjsj.com

rjpmuztrygwn.online

casinotoponlineplay.technology

tm88z.com

navnoorkang.com

lazydogkennels.net

yisilv.com

usasubels.com

desperatehouse-lives.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/796-47-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/796-48-0x000000000041B660-mapping.dmp	formbook
behavioral1/memory/1104-49-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

816 cmd.exe

pid	process
816	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

INVOICE_#24.exeINVOICE_#24.execolorcpl.exe

description	pid	process	target process
PID 1664 set thread context of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 796 set thread context of 1268	796	INVOICE_#24.exe	Explorer.EXE
PID 1104 set thread context of 1268	1104	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

INVOICE_#24.execolorcpl.exe

pid	process
796	INVOICE_#24.exe
796	INVOICE_#24.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe
1104	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

INVOICE_#24.execolorcpl.exe

pid process

796 INVOICE_#24.exe
796 INVOICE_#24.exe
796 INVOICE_#24.exe
1104 colorcpl.exe
1104 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

INVOICE_#24.exeINVOICE_#24.execolorcpl.exe

description pid process

Token: SeDebugPrivilege 1664 INVOICE_#24.exe
Token: SeDebugPrivilege 796 INVOICE_#24.exe
Token: SeDebugPrivilege 1104 colorcpl.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

INVOICE_#24.exe

pid process

1664 INVOICE_#24.exe
1664 INVOICE_#24.exe

description	pid	process
Token: SeDebugPrivilege	1664	INVOICE_#24.exe
Token: SeDebugPrivilege	796	INVOICE_#24.exe
Token: SeDebugPrivilege	1104	colorcpl.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1664	INVOICE_#24.exe
1664	INVOICE_#24.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

INVOICE_#24.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1664 wrote to memory of 796	1664	INVOICE_#24.exe	INVOICE_#24.exe
PID 1268 wrote to memory of 1104	1268	Explorer.EXE	colorcpl.exe
PID 1268 wrote to memory of 1104	1268	Explorer.EXE	colorcpl.exe
PID 1268 wrote to memory of 1104	1268	Explorer.EXE	colorcpl.exe
PID 1268 wrote to memory of 1104	1268	Explorer.EXE	colorcpl.exe
PID 1104 wrote to memory of 816	1104	colorcpl.exe	cmd.exe
PID 1104 wrote to memory of 816	1104	colorcpl.exe	cmd.exe
PID 1104 wrote to memory of 816	1104	colorcpl.exe	cmd.exe
PID 1104 wrote to memory of 816	1104	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664

C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:796

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe"
3⤵
- Deletes itself
PID:816

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-47-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/796-48-0x000000000041B660-mapping.dmp

Download
memory/816-51-0x0000000000000000-mapping.dmp

Download
memory/1104-49-0x0000000000000000-mapping.dmp

Download
memory/1104-50-0x0000000000ED0000-0x0000000000EE8000-memory.dmp

Filesize
96KB

Download
memory/1104-52-0x0000000000D80000-0x0000000000E6F000-memory.dmp

Filesize
956KB

Download
memory/1684-46-0x000007FEF5B70000-0x000007FEF5DEA000-memory.dmp

Filesize
2.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads