formbook | 49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506

General

Target

Payment - Swift Copy.exe
Size

878KB
MD5

373529da43706b9b230586b501a000fd
SHA1

d1a0ad8fe1c1adc9d27b5ceb3d7d27c9512c5495
SHA256

49e40687ad1ffb7ba491d92cd38333d3e96c134ba7739dcdd3e8ee2ea1b19506
SHA512

f5ba8fbb2409decc4982c5b9d0c7f6b479e8f184af33e99333b23fbfd493888477aa0442bf58290439bda2b2b26fa729aa6e6d0e2fa6ebe8cd23f0f916a4a085

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.danneroll.com/mnc/

Decoy

yicaiboli.com

litercoconut.icu

virtuallyfriday.com

joshuahumphreyproperty.com

mercedes-dieselclaims.com

rock-leaf.com

sandglasshours.com

pooldeckpatiodriveway.com

forenvid.com

wasserfuhr-gmbh.com

rizosmil.com

alberletgyor.com

besafetexting.com

ladoctoracorazon.net

prettyassframes.com

meetyourwish.com

achefskiss.com

parulata.com

thang8-freefirevn2.xyz

statuniverse.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2232-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2232-12-0x000000000041EB60-mapping.dmp	formbook
behavioral2/memory/2064-13-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment - Swift Copy.exePayment - Swift Copy.execontrol.exe

description	pid	process	target process
PID 1400 set thread context of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 2232 set thread context of 3024	2232	Payment - Swift Copy.exe	Explorer.EXE
PID 2064 set thread context of 3024	2064	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

Payment - Swift Copy.exePayment - Swift Copy.execontrol.exe

pid	process
1400	Payment - Swift Copy.exe
1400	Payment - Swift Copy.exe
1400	Payment - Swift Copy.exe
1400	Payment - Swift Copy.exe
1400	Payment - Swift Copy.exe
2232	Payment - Swift Copy.exe
2232	Payment - Swift Copy.exe
2232	Payment - Swift Copy.exe
2232	Payment - Swift Copy.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment - Swift Copy.execontrol.exe

pid process

2232 Payment - Swift Copy.exe
2232 Payment - Swift Copy.exe
2232 Payment - Swift Copy.exe
2064 control.exe
2064 control.exe

pid	process
2232	Payment - Swift Copy.exe
2232	Payment - Swift Copy.exe
2232	Payment - Swift Copy.exe
2064	control.exe
2064	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment - Swift Copy.exePayment - Swift Copy.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	1400	Payment - Swift Copy.exe
Token: SeDebugPrivilege	2232	Payment - Swift Copy.exe
Token: SeDebugPrivilege	2064	control.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment - Swift Copy.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1400 wrote to memory of 2260	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2260	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2260	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 1400 wrote to memory of 2232	1400	Payment - Swift Copy.exe	Payment - Swift Copy.exe
PID 3024 wrote to memory of 2064	3024	Explorer.EXE	control.exe
PID 3024 wrote to memory of 2064	3024	Explorer.EXE	control.exe
PID 3024 wrote to memory of 2064	3024	Explorer.EXE	control.exe
PID 2064 wrote to memory of 2168	2064	control.exe	cmd.exe
PID 2064 wrote to memory of 2168	2064	control.exe	cmd.exe
PID 2064 wrote to memory of 2168	2064	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1400

C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
3⤵
PID:2260

C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe
"C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2232

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment - Swift Copy.exe"
3⤵
PID:2168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-9-0x0000000001290000-0x00000000012F5000-memory.dmp

Filesize
404KB

Download
memory/1400-5-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/1400-0-0x0000000073550000-0x0000000073C3E000-memory.dmp

Filesize
6.9MB

Download
memory/1400-4-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/1400-10-0x0000000006480000-0x00000000064B0000-memory.dmp

Filesize
192KB

Download
memory/1400-6-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/1400-7-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/1400-8-0x0000000005900000-0x0000000005913000-memory.dmp

Filesize
76KB

Download
memory/1400-3-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/1400-1-0x0000000000B30000-0x0000000000B31000-memory.dmp

Filesize
4KB

Download
memory/2064-13-0x0000000000000000-mapping.dmp

Download
memory/2064-14-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2064-15-0x0000000000230000-0x0000000000250000-memory.dmp

Filesize
128KB

Download
memory/2064-17-0x0000000005620000-0x000000000579A000-memory.dmp

Filesize
1.5MB

Download
memory/2168-16-0x0000000000000000-mapping.dmp

Download
memory/2232-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2232-12-0x000000000041EB60-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads