formbook | 94ff08030a3e4421baf3ad3489d4d757dd4e8aab659aa8a06f99d2d81526d17e

General

Target

HSBC payment swift copy.exe
Size

939KB
MD5

a4157360da26197715f33249273aca5b
SHA1

1d7c9da78fccf8becc3dd7585f2a6a6882bc561f
SHA256

94ff08030a3e4421baf3ad3489d4d757dd4e8aab659aa8a06f99d2d81526d17e
SHA512

bc50504e9df77d05771a15d0667e26e7984487c44a9de30252ec49cd5299637246c16ebe51a00c8478860997b4b7b0c593017f9f6a25dfc0d26fc8053973f4e7

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.deejayatl.com/khm/

Decoy

bizzglobal.com

sura-solutions.com

zhaofu7.com

electricindians.com

thedirtyreds.com

graalmilitaryofficial.com

yx-vinylglove.com

e-zenithonline.com

iric-canada.net

solrsmrtnrg.com

terdissuadablesouthe.net

farhadmagic.com

mysimplenook.com

melkavand.com

swirlinginlimbo.com

dentist-sandimas.com

88265536.com

88q18.com

kogiz.com

hasbiadam.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3136-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3136-13-0x000000000041EA90-mapping.dmp	formbook
behavioral2/memory/1992-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

HSBC payment swift copy.exeHSBC payment swift copy.exeNETSTAT.EXE

description	pid	process	target process
PID 3636 set thread context of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 3136 set thread context of 2908	3136	HSBC payment swift copy.exe	Explorer.EXE
PID 1992 set thread context of 2908	1992	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

1992 NETSTAT.EXE

pid	process
1992	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

HSBC payment swift copy.exeNETSTAT.EXE

pid	process
3136	HSBC payment swift copy.exe
3136	HSBC payment swift copy.exe
3136	HSBC payment swift copy.exe
3136	HSBC payment swift copy.exe
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE
1992	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

HSBC payment swift copy.exeNETSTAT.EXE

pid process

3136 HSBC payment swift copy.exe
3136 HSBC payment swift copy.exe
3136 HSBC payment swift copy.exe
1992 NETSTAT.EXE
1992 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HSBC payment swift copy.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 3136 HSBC payment swift copy.exe
Token: SeDebugPrivilege 1992 NETSTAT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2908 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3136	HSBC payment swift copy.exe
Token: SeDebugPrivilege	1992	NETSTAT.EXE

pid	process
2908	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HSBC payment swift copy.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3636 wrote to memory of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 3636 wrote to memory of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 3636 wrote to memory of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 3636 wrote to memory of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 3636 wrote to memory of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 3636 wrote to memory of 3136	3636	HSBC payment swift copy.exe	HSBC payment swift copy.exe
PID 2908 wrote to memory of 1992	2908	Explorer.EXE	NETSTAT.EXE
PID 2908 wrote to memory of 1992	2908	Explorer.EXE	NETSTAT.EXE
PID 2908 wrote to memory of 1992	2908	Explorer.EXE	NETSTAT.EXE
PID 1992 wrote to memory of 3896	1992	NETSTAT.EXE	cmd.exe
PID 1992 wrote to memory of 3896	1992	NETSTAT.EXE	cmd.exe
PID 1992 wrote to memory of 3896	1992	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2908

C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3636

C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe
"C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3136

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1992

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HSBC payment swift copy.exe"
3⤵
PID:3896

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1992-18-0x0000000002AD0000-0x0000000002C16000-memory.dmp

Filesize
1.3MB

Download
memory/1992-16-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

Filesize
44KB

Download
memory/1992-15-0x0000000000AC0000-0x0000000000ACB000-memory.dmp

Filesize
44KB

Download
memory/1992-14-0x0000000000000000-mapping.dmp

Download
memory/3136-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3136-13-0x000000000041EA90-mapping.dmp

Download
memory/3636-7-0x0000000004AA0000-0x0000000004AA1000-memory.dmp

Filesize
4KB

Download
memory/3636-10-0x0000000004A80000-0x0000000004A92000-memory.dmp

Filesize
72KB

Download
memory/3636-11-0x00000000059B0000-0x0000000005A1C000-memory.dmp

Filesize
432KB

Download
memory/3636-9-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/3636-8-0x0000000004A40000-0x0000000004A41000-memory.dmp

Filesize
4KB

Download
memory/3636-2-0x0000000073BA0000-0x000000007428E000-memory.dmp

Filesize
6.9MB

Download
memory/3636-6-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3636-5-0x0000000004940000-0x0000000004941000-memory.dmp

Filesize
4KB

Download
memory/3636-3-0x00000000000A0000-0x00000000000A1000-memory.dmp

Filesize
4KB

Download
memory/3896-17-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads