formbook | aae9b362789cdf8a185d9b963cb3b0ba5d7f5599285cecd8625944168232c42c

General

Target

RFQ-MNAMR-001RB-WhastsAAp Images.exe
Size

398KB
MD5

239efcf744fc1e906b704d4eebe4a962
SHA1

c8c0fe13941c237cd72c2eb3adcfc13f9513d32d
SHA256

aae9b362789cdf8a185d9b963cb3b0ba5d7f5599285cecd8625944168232c42c
SHA512

affe8bdcfbdc3e2554f2b8c887a9d417a69b5e031f7433ecf8971cc14a55bbabb70fbacd495a23d355662a679fbca321c38eb46e37949ea51e2e290ad7558af9

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.salomdy.com/xcm/

Decoy

xn--rhq5es99j.com

storage-download-fast.review

campingfamilly.com

rientbottcieux.info

2015z.com

999izo.info

guojiafangshui.com

jpaecwra.com

evergreenmga.net

semprebellissima.store

meizin01.com

bangladesherkhobor.net

rivercoveresidencessg.com

carbonfibercrew.com

1rbld2.biz

nikolatesla.review

erlandsonsbrygga.com

cursosreikiadistancia.com

centraldemotorersltda.com

shelskysbrooklynbagels.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1936-55-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1936-56-0x000000000041B6F0-mapping.dmp	formbook
behavioral1/memory/1216-57-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1204 cmd.exe

pid	process
1204	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

RFQ-MNAMR-001RB-WhastsAAp Images.exeRFQ-MNAMR-001RB-WhastsAAp Images.exehelp.exe

description	pid	process	target process
PID 1804 set thread context of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1936 set thread context of 1224	1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe	Explorer.EXE
PID 1936 set thread context of 1224	1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe	Explorer.EXE
PID 1216 set thread context of 1224	1216	help.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1000 schtasks.exe

pid	process
1000	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

RFQ-MNAMR-001RB-WhastsAAp Images.exehelp.exe

pid	process
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe
1216	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RFQ-MNAMR-001RB-WhastsAAp Images.exehelp.exe

pid	process
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1216	help.exe
1216	help.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ-MNAMR-001RB-WhastsAAp Images.exeRFQ-MNAMR-001RB-WhastsAAp Images.exehelp.exe

description	pid	process
Token: SeDebugPrivilege	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe
Token: SeDebugPrivilege	1936	RFQ-MNAMR-001RB-WhastsAAp Images.exe
Token: SeDebugPrivilege	1216	help.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1224 Explorer.EXE
1224 Explorer.EXE
1224 Explorer.EXE
1224 Explorer.EXE
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

RFQ-MNAMR-001RB-WhastsAAp Images.exe

pid process

1804 RFQ-MNAMR-001RB-WhastsAAp Images.exe
1804 RFQ-MNAMR-001RB-WhastsAAp Images.exe

pid	process
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE
1224	Explorer.EXE

pid	process
1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe
1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

RFQ-MNAMR-001RB-WhastsAAp Images.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1804 wrote to memory of 1000	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	schtasks.exe
PID 1804 wrote to memory of 1000	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	schtasks.exe
PID 1804 wrote to memory of 1000	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	schtasks.exe
PID 1804 wrote to memory of 1000	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	schtasks.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1804 wrote to memory of 1936	1804	RFQ-MNAMR-001RB-WhastsAAp Images.exe	RFQ-MNAMR-001RB-WhastsAAp Images.exe
PID 1224 wrote to memory of 1216	1224	Explorer.EXE	help.exe
PID 1224 wrote to memory of 1216	1224	Explorer.EXE	help.exe
PID 1224 wrote to memory of 1216	1224	Explorer.EXE	help.exe
PID 1224 wrote to memory of 1216	1224	Explorer.EXE	help.exe
PID 1216 wrote to memory of 1204	1216	help.exe	cmd.exe
PID 1216 wrote to memory of 1204	1216	help.exe	cmd.exe
PID 1216 wrote to memory of 1204	1216	help.exe	cmd.exe
PID 1216 wrote to memory of 1204	1216	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fgySYm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4AF5.tmp"
3⤵
- Creates scheduled task(s)
PID:1000

C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1936

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1656

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-MNAMR-001RB-WhastsAAp Images.exe"
3⤵
- Deletes itself
PID:1204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp4AF5.tmp
MD5
9796afa8cf0acb763f3021fbacddf752

SHA1
6904111fdd5a45ab09592c01ee7b4f6c6076fbcd

SHA256
73cd940167e4c37d4a1d8d9d9b614de24dd95e0abc56420084bdf8ae1beeef5e

SHA512
73724c4dc8ad5af35e2f7b907e9004e914f22f2270b0dcb62dc3ebe0f47268b9b1487d89bc97a32390b08a83f4c637cb2a272f4d7cca6fc2832b7152a4aa1892

Download Submit
memory/1000-52-0x0000000000000000-mapping.dmp

Download
memory/1204-59-0x0000000000000000-mapping.dmp

Download
memory/1216-57-0x0000000000000000-mapping.dmp

Download
memory/1216-58-0x0000000000D10000-0x0000000000D16000-memory.dmp

Filesize
24KB

Download
memory/1216-60-0x00000000006F0000-0x0000000000852000-memory.dmp

Filesize
1.4MB

Download
memory/1320-51-0x000007FEF77C0000-0x000007FEF7A3A000-memory.dmp

Filesize
2.5MB

Download
memory/1936-55-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1936-56-0x000000000041B6F0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads