formbook | 29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318

General

Target

anthon.exe
Size

337KB
MD5

ea85c89530ed6f12fd8b75451f37afd5
SHA1

9ad88734ca8e7c7e0f09b89f244ca7f4a1f606a6
SHA256

29f75d4db1b85197038c1ed08661ef0a72158ac895e6aac76526bab07d83c318
SHA512

f89c1b3123f77616ee692cb0da7c35b1c095b2917015fa5e38140e1f6755e1937acab3e1269ce414e0c677446df5aa2dd923bf5e238d390c936dffac6311952b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.wellnesspharma.net/94sb/

Decoy

kaligao.com

springsbounce.com

dreamytree.com

trylolows.com

butload.info

creperie-pancakesquare.com

mirajions.com

joineduphealthresources.net

hamradioblogs.com

linghuidz.com

atelierzeste.com

tweens.network

perteprampram03.net

connorneill.com

nannatech.com

chrmo.com

nanoring.info

mapomarket.com

bongkey.com

sdhhzp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3436-4-0x00000000054A0000-0x00000000054C9000-memory.dmp	formbook
behavioral2/memory/3600-5-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/184-6-0x0000000000000000-mapping.dmp	formbook

Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3436 rundll32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

cmd.exeexplorer.exe

description	pid	process	target process
PID 3600 set thread context of 2144	3600	cmd.exe	Explorer.EXE
PID 184 set thread context of 2144	184	explorer.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

rundll32.execmd.exeexplorer.exe

pid	process
3436	rundll32.exe
3600	cmd.exe
3600	cmd.exe
3600	cmd.exe
3600	cmd.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe
184	explorer.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.execmd.exeexplorer.exe

pid process

3436 rundll32.exe
3600 cmd.exe
3600 cmd.exe
3600 cmd.exe
184 explorer.exe
184 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cmd.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 3600 cmd.exe
Token: SeDebugPrivilege 184 explorer.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2144 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3600	cmd.exe
Token: SeDebugPrivilege	184	explorer.exe

pid	process
2144	Explorer.EXE

Suspicious use of WriteProcessMemory 89 IoCs

Processes:

anthon.exerundll32.exe

description	pid	process	target process
PID 984 wrote to memory of 3436	984	anthon.exe	rundll32.exe
PID 984 wrote to memory of 3436	984	anthon.exe	rundll32.exe
PID 984 wrote to memory of 3436	984	anthon.exe	rundll32.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe
PID 3436 wrote to memory of 3600	3436	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
PID:2144

C:\Users\Admin\AppData\Local\Temp\anthon.exe
"C:\Users\Admin\AppData\Local\Temp\anthon.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe CloisonParticiple,Touchstones
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3436

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:184

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\cmd.exe"
3⤵
PID:3488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CloisonParticiple.DLL
MD5
214b7024c4e0b928e995eef2a7805939

SHA1
0fdf0897e02c19420f7bb5b905e3406d08c43e99

SHA256
6f48abfe00075915b03732910b9c7325e10d84760fd2d46924191d25de46ae00

SHA512
43889795edc78626a14a142683778bbacc4f82ed02a5c30debe402d4b0fc5b29f085f97793c613b2cfa8cb15c62e5c345d3149db2c408307f1c1c4d053344173

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fatigue
MD5
9b43d88b4879b96ec30ae5b5ffee8809

SHA1
bd10a035b506775df3ecb7c49c7a6ccde397e553

SHA256
7d1007db2eeaf7bbba67ecd8607c0b70739463dbed98002aa5b2852f86b80760

SHA512
c9e10c1c74423dc7cf29ea83256c50de27f9d51331b210e6a1b4b31ca00587e2ad6ae30b1ad7d675be5cd270d8c471be0ccd7f57fe9c22547168dda2575ef7ab

Download Submit
\Users\Admin\AppData\Local\Temp\CloisonParticiple.dll
MD5
214b7024c4e0b928e995eef2a7805939

SHA1
0fdf0897e02c19420f7bb5b905e3406d08c43e99

SHA256
6f48abfe00075915b03732910b9c7325e10d84760fd2d46924191d25de46ae00

SHA512
43889795edc78626a14a142683778bbacc4f82ed02a5c30debe402d4b0fc5b29f085f97793c613b2cfa8cb15c62e5c345d3149db2c408307f1c1c4d053344173

Download Submit
memory/184-6-0x0000000000000000-mapping.dmp

Download
memory/184-7-0x0000000001030000-0x000000000146F000-memory.dmp

Filesize
4.2MB

Download
memory/184-8-0x0000000001030000-0x000000000146F000-memory.dmp

Filesize
4.2MB

Download
memory/184-10-0x0000000007220000-0x0000000007332000-memory.dmp

Filesize
1.1MB

Download
memory/3436-0-0x0000000000000000-mapping.dmp

Download
memory/3436-4-0x00000000054A0000-0x00000000054C9000-memory.dmp

Filesize
164KB

Download
memory/3488-9-0x0000000000000000-mapping.dmp

Download
memory/3600-5-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads