formbook | 49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506

General

Target

Payment - Swift Copy.exe
Size

878KB
MD5

373529da43706b9b230586b501a000fd
SHA1

d1a0ad8fe1c1adc9d27b5ceb3d7d27c9512c5495
SHA256

49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506
SHA512

f5ba8fbb2409decc4982c5b9d0c7f6b479e8f184af33e99333b23fbfd493888477aa0442bf58290439bda2b2b26fa729aa6e6d0e2fa6ebe8cd23f0f916a4a085

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.danneroll.com/mnc/

Decoy

yicaiboli.com

litercoconut.icu

virtuallyfriday.com

joshuahumphreyproperty.com

mercedes-dieselclaims.com

rock-leaf.com

sandglasshours.com

pooldeckpatiodriveway.com

forenvid.com

wasserfuhr-gmbh.com

rizosmil.com

alberletgyor.com

besafetexting.com

ladoctoracorazon.net

prettyassframes.com

meetyourwish.com

achefskiss.com

parulata.com

thang8-freefirevn2.xyz

statuniverse.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1748-6-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1748-7-0x000000000041EB60-mapping.dmp	formbook
behavioral1/memory/1756-8-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe

pid	process
1116	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment - Swift Copy.exePayment - Swift Copy.execontrol.exe

description	pid	process	target process
PID 1056 set thread context of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1748 set thread context of 1256	1748	Payment - Swift Copy.exe	Explorer.EXE
PID 1756 set thread context of 1256	1756	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Payment - Swift Copy.exePayment - Swift Copy.execontrol.exe

pid	process
1056	Payment - Swift Copy.exe
1056	Payment - Swift Copy.exe
1748	Payment - Swift Copy.exe
1748	Payment - Swift Copy.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe
1756	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment - Swift Copy.execontrol.exe

pid process

1748 Payment - Swift Copy.exe
1748 Payment - Swift Copy.exe
1748 Payment - Swift Copy.exe
1756 control.exe
1756 control.exe

pid	process
1748	Payment - Swift Copy.exe
1748	Payment - Swift Copy.exe
1748	Payment - Swift Copy.exe
1756	control.exe
1756	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment - Swift Copy.exePayment - Swift Copy.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	1056	Payment - Swift Copy.exe
Token: SeDebugPrivilege	1748	Payment - Swift Copy.exe
Token: SeDebugPrivilege	1756	control.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment - Swift Copy.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1056 wrote to memory of 1748	1056	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1256 wrote to memory of 1756	1256	Explorer.EXE	control.exe
PID 1256 wrote to memory of 1756	1256	Explorer.EXE	control.exe
PID 1256 wrote to memory of 1756	1256	Explorer.EXE	control.exe
PID 1256 wrote to memory of 1756	1256	Explorer.EXE	control.exe
PID 1756 wrote to memory of 1116	1756	control.exe	cmd.exe
PID 1756 wrote to memory of 1116	1756	control.exe	cmd.exe
PID 1756 wrote to memory of 1116	1756	control.exe	cmd.exe
PID 1756 wrote to memory of 1116	1756	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1056

C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1748

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
3⤵
- Deletes itself
PID:1116

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1056-0-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/1056-1-0x00000000009B0000-0x00000000009B1000-memory.dmp

Filesize
4KB

Download
memory/1056-3-0x0000000000610000-0x0000000000623000-memory.dmp

Filesize
76KB

Download
memory/1056-4-0x0000000004FF0000-0x0000000005055000-memory.dmp

Filesize
404KB

Download
memory/1056-5-0x00000000049C0000-0x00000000049F0000-memory.dmp

Filesize
192KB

Download
memory/1116-10-0x0000000000000000-mapping.dmp

Download
memory/1748-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1748-7-0x000000000041EB60-mapping.dmp

Download
memory/1756-9-0x0000000000070000-0x000000000008F000-memory.dmp

Filesize
124KB

Download
memory/1756-8-0x0000000000000000-mapping.dmp

Download
memory/1756-11-0x0000000002F50000-0x0000000003065000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads