formbook | 8d81e9e64adbbba0b32ff5e50a4af3afade44023876d62b8e4aa31c4aea3ec45

General

Target

S4P1JiBZIZxvtFR.exe
Size

870KB
MD5

6571a45194e01c7a51305974058b5eed
SHA1

0871ac8004e7bc5cdd5ecec7e61e0fed30b7bc89
SHA256

8d81e9e64adbbba0b32ff5e50a4af3afade44023876d62b8e4aa31c4aea3ec45
SHA512

0f81e28bdf681596da42778862cb895faf26c127ffe95ba0c79a28139444eb72cae93dc6fff89225ea174a9450645e9d02ccbbf960882f8333ecafdefe538ce0

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.pddjdjp.com/2bb/

Decoy

buymystuff4me.online

nutritionfactor.net

mifactura.online

mskank.com

travel4benefits.com

harzak.com

2048zone.com

melaninswagger.com

kalakarmanch.com

ijustsaad.com

bikersagainstantifa.com

eddie-diaz.com

newcrestredchrisltd.com

virtualpresentersnetwork.com

narocinama.com

geralouiwarene.com

moldremovalintaunton.com

theperfectsupport.com

onlinestoragecloud.com

defisoftwares.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/740-9-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/740-10-0x000000000041EB80-mapping.dmp	formbook
behavioral1/memory/924-11-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1116 cmd.exe

pid	process
1116	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

S4P1JiBZIZxvtFR.exeS4P1JiBZIZxvtFR.execmd.exe

description	pid	process	target process
PID 1852 set thread context of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 740 set thread context of 1216	740	S4P1JiBZIZxvtFR.exe	Explorer.EXE
PID 924 set thread context of 1216	924	cmd.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1568 schtasks.exe

pid	process
1568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

S4P1JiBZIZxvtFR.execmd.exe

pid	process
740	S4P1JiBZIZxvtFR.exe
740	S4P1JiBZIZxvtFR.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe
924	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

S4P1JiBZIZxvtFR.execmd.exe

pid process

740 S4P1JiBZIZxvtFR.exe
740 S4P1JiBZIZxvtFR.exe
740 S4P1JiBZIZxvtFR.exe
924 cmd.exe
924 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

S4P1JiBZIZxvtFR.execmd.exe

description pid process

Token: SeDebugPrivilege 740 S4P1JiBZIZxvtFR.exe
Token: SeDebugPrivilege 924 cmd.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE
1216 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	740	S4P1JiBZIZxvtFR.exe
Token: SeDebugPrivilege	924	cmd.exe

pid	process
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE

pid	process
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE
1216	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

S4P1JiBZIZxvtFR.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 1852 wrote to memory of 1568	1852	S4P1JiBZIZxvtFR.exe	schtasks.exe
PID 1852 wrote to memory of 1568	1852	S4P1JiBZIZxvtFR.exe	schtasks.exe
PID 1852 wrote to memory of 1568	1852	S4P1JiBZIZxvtFR.exe	schtasks.exe
PID 1852 wrote to memory of 1568	1852	S4P1JiBZIZxvtFR.exe	schtasks.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1852 wrote to memory of 740	1852	S4P1JiBZIZxvtFR.exe	S4P1JiBZIZxvtFR.exe
PID 1216 wrote to memory of 924	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 924	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 924	1216	Explorer.EXE	cmd.exe
PID 1216 wrote to memory of 924	1216	Explorer.EXE	cmd.exe
PID 924 wrote to memory of 1116	924	cmd.exe	cmd.exe
PID 924 wrote to memory of 1116	924	cmd.exe	cmd.exe
PID 924 wrote to memory of 1116	924	cmd.exe	cmd.exe
PID 924 wrote to memory of 1116	924	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1216

C:\Users\Admin\AppData\Local\Temp\S4P1JiBZIZxvtFR.exe
"C:\Users\Admin\AppData\Local\Temp\S4P1JiBZIZxvtFR.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\RbvDCDhbsVUdAc" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD059.tmp"
3⤵
- Creates scheduled task(s)
PID:1568

C:\Users\Admin\AppData\Local\Temp\S4P1JiBZIZxvtFR.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:924

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\S4P1JiBZIZxvtFR.exe"
3⤵
- Deletes itself
PID:1116

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpD059.tmp
MD5
7263832cd18a0d3f9eb58b3eb668aa29

SHA1
85a7a1c08ded14ee20dc0ccec539e55ce8492a7a

SHA256
afd80ffccbc6b146273e906b28b3ce94f058cd41b8389d26f3ed61a34a337605

SHA512
4dff58353b7562ef610475ef26ab5ec950264ab9735f25cb217b7d504d980d47b097814c9455fe068f5839028abe5579ae3635537f3cf3a36d17421386c06582

Download Submit
memory/740-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/740-10-0x000000000041EB80-mapping.dmp

Download
memory/924-11-0x0000000000000000-mapping.dmp

Download
memory/924-12-0x000000004A340000-0x000000004A38C000-memory.dmp

Filesize
304KB

Download
memory/924-14-0x0000000003100000-0x00000000031DB000-memory.dmp

Filesize
876KB

Download
memory/1116-13-0x0000000000000000-mapping.dmp

Download
memory/1568-7-0x0000000000000000-mapping.dmp

Download
memory/1852-2-0x0000000074840000-0x0000000074F2E000-memory.dmp

Filesize
6.9MB

Download
memory/1852-3-0x0000000001050000-0x0000000001051000-memory.dmp

Filesize
4KB

Download
memory/1852-5-0x0000000000810000-0x000000000081E000-memory.dmp

Filesize
56KB

Download
memory/1852-6-0x0000000005A30000-0x0000000005ACA000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads