formbook | 06a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3

General

Target

2020112395387_pdf.exe
Size

390KB
MD5

e54d832cb872b7dc086ab7a7878d38fb
SHA1

dd865deaffa4558eebebcb83b5335de2b0b26327
SHA256

06a0e3845d7b4c5593a9143eb1ae73223760d68f2acf0e5be631b9eeab3675f3
SHA512

04a78936551df1bf62d4b256c2a5888af840d9f1fb1735810b1c5145af0795c6c84e03b66754137242691aa0ffa26ceb7295d3cdc59323b939daa8d7cb24bac0

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.blog-cybersecurite.net/ogg/

Decoy

constmotion.com

castinginiciadas.com

dalvgroup.com

dmetuningkw.com

everygrindcount.com

lovewrendley.com

yourtallahassee.com

healer-jou.com

china-gadge.com

theplatinumworld.com

rakutenlle.xyz

neroflex.com

zdysks.com

e-learningorange.com

starbleach.com

apexappsllc.com

sinteredsurface.com

upcas.info

monetizemybizadvertisers.com

tsptoolbox.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5092-0-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/5092-1-0x000000000041EB50-mapping.dmp	formbook
behavioral2/memory/3700-3-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

2020112395387_pdf.exe2020112395387_pdf.exesvchost.exe

description	pid	process	target process
PID 4752 set thread context of 5092	4752	2020112395387_pdf.exe	2020112395387_pdf.exe
PID 5092 set thread context of 3012	5092	2020112395387_pdf.exe	Explorer.EXE
PID 3700 set thread context of 3012	3700	svchost.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

2020112395387_pdf.exesvchost.exe

pid	process
5092	2020112395387_pdf.exe
5092	2020112395387_pdf.exe
5092	2020112395387_pdf.exe
5092	2020112395387_pdf.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe
3700	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

2020112395387_pdf.exe2020112395387_pdf.exesvchost.exe

pid process

4752 2020112395387_pdf.exe
5092 2020112395387_pdf.exe
5092 2020112395387_pdf.exe
5092 2020112395387_pdf.exe
3700 svchost.exe
3700 svchost.exe

pid	process
4752	2020112395387_pdf.exe
5092	2020112395387_pdf.exe
5092	2020112395387_pdf.exe
5092	2020112395387_pdf.exe
3700	svchost.exe
3700	svchost.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

Processes:

2020112395387_pdf.exeExplorer.EXEsvchost.exe

description	pid	process
Token: SeDebugPrivilege	5092	2020112395387_pdf.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeDebugPrivilege	3700	svchost.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

2020112395387_pdf.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4752 wrote to memory of 5092	4752	2020112395387_pdf.exe	2020112395387_pdf.exe
PID 4752 wrote to memory of 5092	4752	2020112395387_pdf.exe	2020112395387_pdf.exe
PID 4752 wrote to memory of 5092	4752	2020112395387_pdf.exe	2020112395387_pdf.exe
PID 4752 wrote to memory of 5092	4752	2020112395387_pdf.exe	2020112395387_pdf.exe
PID 3012 wrote to memory of 3700	3012	Explorer.EXE	svchost.exe
PID 3012 wrote to memory of 3700	3012	Explorer.EXE	svchost.exe
PID 3012 wrote to memory of 3700	3012	Explorer.EXE	svchost.exe
PID 3700 wrote to memory of 2084	3700	svchost.exe	cmd.exe
PID 3700 wrote to memory of 2084	3700	svchost.exe	cmd.exe
PID 3700 wrote to memory of 2084	3700	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4752

C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5092

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\2020112395387_pdf.exe"
3⤵
PID:2084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2084-6-0x0000000000000000-mapping.dmp

Download
memory/3700-3-0x0000000000000000-mapping.dmp

Download
memory/3700-4-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/3700-5-0x0000000001000000-0x000000000100C000-memory.dmp

Filesize
48KB

Download
memory/3700-7-0x0000000003F00000-0x0000000004057000-memory.dmp

Filesize
1.3MB

Download
memory/5092-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5092-1-0x000000000041EB50-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads