formbook | 20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9

General

Target

INVOICE_#24.exe
Size

396KB
MD5

15fc2ccb48e28c2001728c3b92022e3b
SHA1

4745737dde241e42470a73303778e2ba37a6e761
SHA256

20b27c73d6c337c95759c21e02e1e795fb7f07413e46f053e6e728c5de342dd9
SHA512

e8d8d642ea33c26a6b54346a3819803fa6be37188a9fb25c33a96ff7696af5fb1c77f2de0e4bc4f26255c301b7324ea80a60c7b06e35c372a02845a306656d1b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.govaj.com/bd2/

Decoy

coffeeflyer.com

joy-cars.com

excp0st.com

pancakesandprotein.com

teenboys.info

theperfectgiftshop.net

maomao2017.com

musiclabtacoma.com

taskrit.com

pthjxx.com

114man.com

worldsjsj.com

rjpmuztrygwn.online

casinotoponlineplay.technology

tm88z.com

navnoorkang.com

lazydogkennels.net

yisilv.com

usasubels.com

desperatehouse-lives.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/196-3-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/196-4-0x000000000041B660-mapping.dmp	formbook
behavioral2/memory/2828-5-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

INVOICE_#24.exeINVOICE_#24.execmstp.exe

description	pid	process	target process
PID 4076 set thread context of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 196 set thread context of 2756	196	INVOICE_#24.exe	Explorer.EXE
PID 2828 set thread context of 2756	2828	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

INVOICE_#24.execmstp.exe

pid	process
196	INVOICE_#24.exe
196	INVOICE_#24.exe
196	INVOICE_#24.exe
196	INVOICE_#24.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

INVOICE_#24.execmstp.exe

pid process

196 INVOICE_#24.exe
196 INVOICE_#24.exe
196 INVOICE_#24.exe
2828 cmstp.exe
2828 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

INVOICE_#24.exeINVOICE_#24.execmstp.exe

description pid process

Token: SeDebugPrivilege 4076 INVOICE_#24.exe
Token: SeDebugPrivilege 196 INVOICE_#24.exe
Token: SeDebugPrivilege 2828 cmstp.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

INVOICE_#24.exe

pid process

4076 INVOICE_#24.exe
4076 INVOICE_#24.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2756 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4076	INVOICE_#24.exe
Token: SeDebugPrivilege	196	INVOICE_#24.exe
Token: SeDebugPrivilege	2828	cmstp.exe

pid	process
4076	INVOICE_#24.exe
4076	INVOICE_#24.exe

pid	process
2756	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

INVOICE_#24.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4076 wrote to memory of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 4076 wrote to memory of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 4076 wrote to memory of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 4076 wrote to memory of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 4076 wrote to memory of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 4076 wrote to memory of 196	4076	INVOICE_#24.exe	INVOICE_#24.exe
PID 2756 wrote to memory of 2828	2756	Explorer.EXE	cmstp.exe
PID 2756 wrote to memory of 2828	2756	Explorer.EXE	cmstp.exe
PID 2756 wrote to memory of 2828	2756	Explorer.EXE	cmstp.exe
PID 2828 wrote to memory of 3896	2828	cmstp.exe	cmd.exe
PID 2828 wrote to memory of 3896	2828	cmstp.exe	cmd.exe
PID 2828 wrote to memory of 3896	2828	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2756

C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe
"C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4076

C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:196

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2208

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1540

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1464

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1008

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INVOICE_#24.exe"
3⤵
PID:3896

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/196-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/196-4-0x000000000041B660-mapping.dmp

Download
memory/2828-5-0x0000000000000000-mapping.dmp

Download
memory/2828-6-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/2828-7-0x0000000000310000-0x0000000000326000-memory.dmp

Filesize
88KB

Download
memory/2828-9-0x0000000005650000-0x00000000057B5000-memory.dmp

Filesize
1.4MB

Download
memory/3896-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads