formbook | d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1

General

Target

Shipping INVOICE-BL Shipment..exe
Size

427KB
MD5

579ba39b6a146080ef6481591440e445
SHA1

06bfc3b47e1ad6a35e10cb4a1edee6c563710107
SHA256

d8d9bb65ea3637fda09488baada0c9b387e0619b7c430b93c8a0fa2d8b489bc1
SHA512

bc2c920da35971ea6a6dfa8fc4f49829d6ba1eeae9589207b1f77a6e5f66d66dcb87396aadce266a61652f6fdfbe40503b9183af5f5ce26fa6cc9218df1597b9

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.jddq888.com/mqgf/

Decoy

decart.pro

qbluebaylivewd.com

idsbizb.icu

kepamieszczanska.com

greenislandcbg.com

usloader.site

auchandirect.sucks

relacionesdehechizo.com

slabrshop.com

cycheal.com

mycoaiko.com

prettythingsbyjessi.com

gettingthehelloutofca.com

reseachminister.com

techwomenlife.com

perfectfeelin.com

ez-mouse.com

thelonerangernews.com

hvcharging.com

caelaabadie.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2140-4-0x0000000004CE0000-0x0000000004D09000-memory.dmp	formbook
behavioral2/memory/3228-5-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/4368-6-0x0000000000000000-mapping.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

2140 rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process	target process
PID 3228 set thread context of 2852	3228	cmd.exe	Explorer.EXE
PID 4368 set thread context of 2852	4368	explorer.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

rundll32.execmd.exeexplorer.exe

pid	process
2140	rundll32.exe
3228	cmd.exe
3228	cmd.exe
3228	cmd.exe
3228	cmd.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe
4368	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.execmd.exeexplorer.exe

pid process

2140 rundll32.exe
3228 cmd.exe
3228 cmd.exe
3228 cmd.exe
4368 explorer.exe
4368 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 3228 cmd.exe
Token: SeDebugPrivilege 4368 explorer.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2852 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3228	cmd.exe
Token: SeDebugPrivilege	4368	explorer.exe

pid	process
2852	Explorer.EXE

Suspicious use of WriteProcessMemory 89 IoCs

Processes:

Shipping INVOICE-BL Shipment..exerundll32.exe

description	pid	process	target process
PID 4712 wrote to memory of 2140	4712	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 4712 wrote to memory of 2140	4712	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 4712 wrote to memory of 2140	4712	Shipping INVOICE-BL Shipment..exe	rundll32.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe
PID 2140 wrote to memory of 3228	2140	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:2852

C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe
"C:\Users\Admin\AppData\Local\Temp\Shipping INVOICE-BL Shipment..exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4712

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe Prehnite,Lychnises
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2140

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3228

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4368

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Erodium
MD5
980a6b092855d202363b6436e4a854e8

SHA1
aa8e1a7e1ab7832c3112e5c35b7da143ff919ce0

SHA256
f617d029f947ebb5c0b7b159233e699f5653a1f92e81f9fe44c60555884dc93c

SHA512
6dedf42a718dbc5a4ad25c20561c3adc0fc629d1135aa68d02fc264363617c827fe7eaa0dd49e828df93d80852b4e5aa8c932b20d43ff833c02c4b868df30367

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prehnite.DLL
MD5
f8aa685a3908110e79f4639aa7daddfa

SHA1
dd4d16172ea4851f757abd34a8cb3c835552e6a3

SHA256
aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a

SHA512
8989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6

Download Submit
\Users\Admin\AppData\Local\Temp\Prehnite.dll
MD5
f8aa685a3908110e79f4639aa7daddfa

SHA1
dd4d16172ea4851f757abd34a8cb3c835552e6a3

SHA256
aeea4b86ea607cf9820e3cadd4e98353a57ec789ec0a0e2fefbdd84abd25194a

SHA512
8989a1e5a29043a8cec9353d8923dc7fca52988949637133d5af5f655b04c8016ef8930da4f57a9c068b8e9208c4b8ae2bdaca9ca699755d139cab0ed2a3c5a6

Download Submit
memory/2140-0-0x0000000000000000-mapping.dmp

Download
memory/2140-4-0x0000000004CE0000-0x0000000004D09000-memory.dmp

Filesize
164KB

Download
memory/3044-9-0x0000000000000000-mapping.dmp

Download
memory/3228-5-0x0000000000000000-mapping.dmp

Download
memory/4368-6-0x0000000000000000-mapping.dmp

Download
memory/4368-7-0x00000000008C0000-0x0000000000CFF000-memory.dmp

Filesize
4.2MB

Download
memory/4368-8-0x00000000008C0000-0x0000000000CFF000-memory.dmp

Filesize
4.2MB

Download
memory/4368-10-0x0000000006D20000-0x0000000006E65000-memory.dmp

Filesize
1.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads