formbook | c1b2a36d08dfb9bc18d53112299e6cef0c5057885918a4485b8f1b87a20d709a

General

Target

STATEMENT OF ACCOUNTS.exe
Size

464KB
MD5

bbb834f13790a853aafd0d0adab527f4
SHA1

8b20c41d9c082642d9d7c858105d224b81f6fdc2
SHA256

c1b2a36d08dfb9bc18d53112299e6cef0c5057885918a4485b8f1b87a20d709a
SHA512

68303db868b5bf9897e636caf946c5dde5cf28e0590649e1f8e4b0e998eb7c1ea599b87c95f6f7361effcf6fb04737168ed15d9aad95e77acae3dfb619cfe87b

Score

10^/10

formbook rat rezer0 spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.salomdy.com/nfl/

Decoy

giacamp.net

qb51.party

mashalevine.com

russiasexdating.com

jitangyy.com

morockin.com

karoreiss.com

tractionhero.today

bienvenueenprovence.net

stormharbour.info

61999h.com

tryandcert.com

bestwaytosuccess.com

laobaochang.com

otomatiktente.com

rehpb.info

ivpdqb.info

dc-wv-wv-ie-q.com

goingmagic.com

cimachain.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1740-23-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1740-24-0x000000000041B620-mapping.dmp	formbook
behavioral1/memory/1788-25-0x0000000000000000-mapping.dmp	formbook

rezer0 1 IoCs

Detects ReZer0, a packer with multiple versions used in various campaigns.

rezer0

Processes:

resource	yara_rule
behavioral1/memory/1632-19-0x0000000000C60000-0x0000000000C92000-memory.dmp	rezer0

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

548 cmd.exe

pid	process
548	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

STATEMENT OF ACCOUNTS.exeSTATEMENT OF ACCOUNTS.exeNETSTAT.EXE

description	pid	process	target process
PID 1632 set thread context of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1740 set thread context of 1232	1740	STATEMENT OF ACCOUNTS.exe	Explorer.EXE
PID 1740 set thread context of 1232	1740	STATEMENT OF ACCOUNTS.exe	Explorer.EXE
PID 1788 set thread context of 1232	1788	NETSTAT.EXE	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1664 schtasks.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1788 NETSTAT.EXE

pid	process
1664	schtasks.exe

pid	process
1788	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

STATEMENT OF ACCOUNTS.exeSTATEMENT OF ACCOUNTS.exeNETSTAT.EXE

pid	process
1632	STATEMENT OF ACCOUNTS.exe
1632	STATEMENT OF ACCOUNTS.exe
1632	STATEMENT OF ACCOUNTS.exe
1740	STATEMENT OF ACCOUNTS.exe
1740	STATEMENT OF ACCOUNTS.exe
1740	STATEMENT OF ACCOUNTS.exe
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE
1788	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

STATEMENT OF ACCOUNTS.exeNETSTAT.EXE

pid	process
1740	STATEMENT OF ACCOUNTS.exe
1740	STATEMENT OF ACCOUNTS.exe
1740	STATEMENT OF ACCOUNTS.exe
1740	STATEMENT OF ACCOUNTS.exe
1788	NETSTAT.EXE
1788	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

STATEMENT OF ACCOUNTS.exeSTATEMENT OF ACCOUNTS.exeNETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1632	STATEMENT OF ACCOUNTS.exe
Token: SeDebugPrivilege	1740	STATEMENT OF ACCOUNTS.exe
Token: SeDebugPrivilege	1788	NETSTAT.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
1232 Explorer.EXE
1232 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1232 Explorer.EXE
1232 Explorer.EXE
1232 Explorer.EXE
1232 Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

pid	process
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

STATEMENT OF ACCOUNTS.exeSTATEMENT OF ACCOUNTS.exeNETSTAT.EXE

description	pid	process	target process
PID 1632 wrote to memory of 1664	1632	STATEMENT OF ACCOUNTS.exe	schtasks.exe
PID 1632 wrote to memory of 1664	1632	STATEMENT OF ACCOUNTS.exe	schtasks.exe
PID 1632 wrote to memory of 1664	1632	STATEMENT OF ACCOUNTS.exe	schtasks.exe
PID 1632 wrote to memory of 1664	1632	STATEMENT OF ACCOUNTS.exe	schtasks.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1632 wrote to memory of 1740	1632	STATEMENT OF ACCOUNTS.exe	STATEMENT OF ACCOUNTS.exe
PID 1740 wrote to memory of 1788	1740	STATEMENT OF ACCOUNTS.exe	NETSTAT.EXE
PID 1740 wrote to memory of 1788	1740	STATEMENT OF ACCOUNTS.exe	NETSTAT.EXE
PID 1740 wrote to memory of 1788	1740	STATEMENT OF ACCOUNTS.exe	NETSTAT.EXE
PID 1740 wrote to memory of 1788	1740	STATEMENT OF ACCOUNTS.exe	NETSTAT.EXE
PID 1788 wrote to memory of 548	1788	NETSTAT.EXE	cmd.exe
PID 1788 wrote to memory of 548	1788	NETSTAT.EXE	cmd.exe
PID 1788 wrote to memory of 548	1788	NETSTAT.EXE	cmd.exe
PID 1788 wrote to memory of 548	1788	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1232

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNTS.exe
"C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNTS.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ObKQGjkvrU" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9C7E.tmp"
3⤵
- Creates scheduled task(s)
PID:1664

C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNTS.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
4⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1788

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\STATEMENT OF ACCOUNTS.exe"
5⤵
- Deletes itself
PID:548

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Command-Line Interface

1

T1059

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp9C7E.tmp
MD5
38c923e55bbe1a4d576487889f3b75f9

SHA1
a6a539c4de11cf06b84c47ece00395ff653693e6

SHA256
8bab71a45f0270232bcb219840a4fa163f0a90417fb75b3f496431839bafb681

SHA512
fa9fe8c45977715de1d3cd5be8556dc2270e6ab46ce5b8c98adb9c0b2c31337ee96517d04a19c11bbd7fe3bc3374924061c744eceb40ab06282e25a33b82c4ef

Download Submit
memory/548-27-0x0000000000000000-mapping.dmp

Download
memory/1232-29-0x0000000006EB0000-0x0000000006FFB000-memory.dmp

Filesize
1.3MB

Download
memory/1632-18-0x0000000000880000-0x0000000000883000-memory.dmp

Filesize
12KB

Download
memory/1632-19-0x0000000000C60000-0x0000000000C92000-memory.dmp

Filesize
200KB

Download
memory/1632-0-0x0000000074450000-0x0000000074B3E000-memory.dmp

Filesize
6.9MB

Download
memory/1632-3-0x0000000000330000-0x0000000000367000-memory.dmp

Filesize
220KB

Download
memory/1632-1-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/1664-20-0x0000000000000000-mapping.dmp

Download
memory/1740-23-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1740-24-0x000000000041B620-mapping.dmp

Download
memory/1788-25-0x0000000000000000-mapping.dmp

Download
memory/1788-26-0x0000000000220000-0x0000000000229000-memory.dmp

Filesize
36KB

Download
memory/1788-28-0x00000000032C0000-0x0000000003453000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads