formbook | 6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3

General

Target

inz.exe
Size

411KB
MD5

ab87bb7551411aec9c0b27cb4dcca79e
SHA1

e689e98a99d1d2a6e9a67a6adbd7fba737ed2d6b
SHA256

6c63e68f6d116d78c115e15d1c1bdaeb1064cb562de15c4f5d46142e637f26e3
SHA512

5a0ef5f90cd43534e2043dbe4fae17c9b1a1197be9e1acd29c1c069f710732bd8f6c3aad59b5ff16e4c65ac43b4e23e8a2c8c7f5fc27a74638c150b319234f4f

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.nationshiphop.com/hko6/

Decoy

apartmentsineverettwa.com

forritcu.net

hotroodes.com

skinnerttc.com

royaltrustmyanmar.com

adreslog.com

kaysbridalboutiques.com

multitask-improvements.com

geniiforum.com

smarthomehatinh.asia

banglikeaboss.com

javlover.club

affiliateclubindia.com

mycapecoralhomevalue.com

comparamuebles.online

newrochellenissan.com

nairobi-paris.com

fwk.xyz

downdepot.com

nextgenmemorabilia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2916-5-0x0000000000400000-0x0000000000443000-memory.dmp	formbook
behavioral2/memory/2916-6-0x000000000040188B-mapping.dmp	formbook
behavioral2/memory/3880-7-0x00000000021F0000-0x0000000002233000-memory.dmp	formbook
behavioral2/memory/2916-8-0x0000000000400000-0x0000000000443000-memory.dmp	formbook
behavioral2/memory/2916-10-0x00000000032A0000-0x00000000032CE000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

inz.exe

description pid process target process

PID 3880 set thread context of 2916 3880 inz.exe inz.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1336 2916 WerFault.exe inz.exe

description	pid	process	target process
PID 3880 set thread context of 2916	3880	inz.exe	inz.exe

pid	pid_target	process	target process
1336	2916	WerFault.exe	inz.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

WerFault.exe

pid	process
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe
1336	WerFault.exe

Suspicious behavior: MapViewOfSection 4 IoCs

Processes:

inz.exeinz.exeinz.exeinz.exe

pid process

2604 inz.exe
2536 inz.exe
2800 inz.exe
3880 inz.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

WerFault.exe

description pid process

Token: SeRestorePrivilege 1336 WerFault.exe
Token: SeBackupPrivilege 1336 WerFault.exe
Token: SeDebugPrivilege 1336 WerFault.exe

pid	process
2604	inz.exe
2536	inz.exe
2800	inz.exe
3880	inz.exe

description	pid	process
Token: SeRestorePrivilege	1336	WerFault.exe
Token: SeBackupPrivilege	1336	WerFault.exe
Token: SeDebugPrivilege	1336	WerFault.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

inz.exeinz.exeinz.exeinz.exe

description	pid	process	target process
PID 2604 wrote to memory of 3268	2604	inz.exe	inz.exe
PID 2604 wrote to memory of 3268	2604	inz.exe	inz.exe
PID 2604 wrote to memory of 3268	2604	inz.exe	inz.exe
PID 2604 wrote to memory of 2536	2604	inz.exe	inz.exe
PID 2604 wrote to memory of 2536	2604	inz.exe	inz.exe
PID 2604 wrote to memory of 2536	2604	inz.exe	inz.exe
PID 2536 wrote to memory of 2740	2536	inz.exe	inz.exe
PID 2536 wrote to memory of 2740	2536	inz.exe	inz.exe
PID 2536 wrote to memory of 2740	2536	inz.exe	inz.exe
PID 2536 wrote to memory of 2800	2536	inz.exe	inz.exe
PID 2536 wrote to memory of 2800	2536	inz.exe	inz.exe
PID 2536 wrote to memory of 2800	2536	inz.exe	inz.exe
PID 2800 wrote to memory of 2960	2800	inz.exe	inz.exe
PID 2800 wrote to memory of 2960	2800	inz.exe	inz.exe
PID 2800 wrote to memory of 2960	2800	inz.exe	inz.exe
PID 2800 wrote to memory of 3880	2800	inz.exe	inz.exe
PID 2800 wrote to memory of 3880	2800	inz.exe	inz.exe
PID 2800 wrote to memory of 3880	2800	inz.exe	inz.exe
PID 3880 wrote to memory of 2916	3880	inz.exe	inz.exe
PID 3880 wrote to memory of 2916	3880	inz.exe	inz.exe
PID 3880 wrote to memory of 2916	3880	inz.exe	inz.exe
PID 3880 wrote to memory of 2916	3880	inz.exe	inz.exe

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2604

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
2⤵
PID:3268

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
2⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
3⤵
PID:2740

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
3⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2800

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
4⤵
PID:2960

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3880

C:\Users\Admin\AppData\Local\Temp\inz.exe
"C:\Users\Admin\AppData\Local\Temp\inz.exe"
5⤵
PID:2916

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 880
6⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1336-11-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/2536-2-0x0000000000000000-mapping.dmp

Download
memory/2800-3-0x0000000000000000-mapping.dmp

Download
memory/2916-5-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2916-6-0x000000000040188B-mapping.dmp

Download
memory/2916-8-0x0000000000400000-0x0000000000443000-memory.dmp

Filesize
268KB

Download
memory/2916-9-0x00000000739F0000-0x00000000740DE000-memory.dmp

Filesize
6.9MB

Download
memory/2916-10-0x00000000032A0000-0x00000000032CE000-memory.dmp

Filesize
184KB

Download
memory/3880-4-0x0000000000000000-mapping.dmp

Download
memory/3880-7-0x00000000021F0000-0x0000000002233000-memory.dmp

Filesize
268KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads