formbook | c3d490568e73f61c86d2d4c01e170bdcf3c0d3eb5e309ff3d3fb808a4a867a54

General

Target

payment advice00000789_pdf.exe
Size

866KB
MD5

a08fc6065952b6625893e48a8bc72106
SHA1

7b4baec718caa9c5a3aa7cbe1d85121af68f810b
SHA256

c3d490568e73f61c86d2d4c01e170bdcf3c0d3eb5e309ff3d3fb808a4a867a54
SHA512

2edcf7922cdd41d2b30ef3abb734a79a21ace178f8ea100067077be7ff5aca470e2000f869b839aca27b86ea4da9bdefcbc408de19e4e461a082fe5c7c916974

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aftabzahur.com/wgn/

Decoy

kokokara-life-blog.com

faswear.com

futureleadershiptoday.com

date4done.xyz

thecouponinn.com

bbeycarpetsf.com

propolisnasalspray.com

jinjudiamond.com

goodevectors.com

nehyam.com

evalinkapuppets.com

what-if-statistics.com

rateofrisk.com

impacttestonlinne.com

servis-kaydet.info

coloniacafe.com

marcemarketing.com

aarigging.com

goddesswitchery.com

jasqblo.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4088-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4088-12-0x000000000041EAC0-mapping.dmp	formbook
behavioral2/memory/4368-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

payment advice00000789_pdf.exepayment advice00000789_pdf.execmd.exe

description	pid	process	target process
PID 4708 set thread context of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4088 set thread context of 2852	4088	payment advice00000789_pdf.exe	Explorer.EXE
PID 4368 set thread context of 2852	4368	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

payment advice00000789_pdf.exepayment advice00000789_pdf.execmd.exe

pid	process
4708	payment advice00000789_pdf.exe
4708	payment advice00000789_pdf.exe
4088	payment advice00000789_pdf.exe
4088	payment advice00000789_pdf.exe
4088	payment advice00000789_pdf.exe
4088	payment advice00000789_pdf.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe
4368	cmd.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

payment advice00000789_pdf.execmd.exe

pid process

4088 payment advice00000789_pdf.exe
4088 payment advice00000789_pdf.exe
4088 payment advice00000789_pdf.exe
4368 cmd.exe
4368 cmd.exe

pid	process
4088	payment advice00000789_pdf.exe
4088	payment advice00000789_pdf.exe
4088	payment advice00000789_pdf.exe
4368	cmd.exe
4368	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

payment advice00000789_pdf.exepayment advice00000789_pdf.execmd.exe

description	pid	process
Token: SeDebugPrivilege	4708	payment advice00000789_pdf.exe
Token: SeDebugPrivilege	4088	payment advice00000789_pdf.exe
Token: SeDebugPrivilege	4368	cmd.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2852 Explorer.EXE

pid	process
2852	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

payment advice00000789_pdf.exeExplorer.EXEcmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2852

C:\Users\Admin\AppData\Local\Temp\payment advice00000789_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice00000789_pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\payment advice00000789_pdf.exe
"{path}"
3⤵
PID:3240

C:\Users\Admin\AppData\Local\Temp\payment advice00000789_pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4088

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4368

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment advice00000789_pdf.exe"
3⤵
PID:4076

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4076-17-0x0000000000000000-mapping.dmp

Download
memory/4088-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4088-12-0x000000000041EAC0-mapping.dmp

Download
memory/4368-18-0x0000000004320000-0x000000000444A000-memory.dmp

Filesize
1.2MB

Download
memory/4368-16-0x0000000000920000-0x0000000000979000-memory.dmp

Filesize
356KB

Download
memory/4368-15-0x0000000000920000-0x0000000000979000-memory.dmp

Filesize
356KB

Download
memory/4368-14-0x0000000000000000-mapping.dmp

Download
memory/4708-6-0x00000000035D0000-0x00000000035D1000-memory.dmp

Filesize
4KB

Download
memory/4708-10-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/4708-9-0x0000000007EF0000-0x0000000007F8D000-memory.dmp

Filesize
628KB

Download
memory/4708-8-0x0000000005BD0000-0x0000000005BDE000-memory.dmp

Filesize
56KB

Download
memory/4708-7-0x0000000003490000-0x0000000003491000-memory.dmp

Filesize
4KB

Download
memory/4708-2-0x0000000073530000-0x0000000073C1E000-memory.dmp

Filesize
6.9MB

Download
memory/4708-5-0x00000000060F0000-0x00000000060F1000-memory.dmp

Filesize
4KB

Download
memory/4708-3-0x0000000000EA0000-0x0000000000EA1000-memory.dmp

Filesize
4KB

Download

description	pid	process	target process
PID 4708 wrote to memory of 3240	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 3240	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 3240	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 4708 wrote to memory of 4088	4708	payment advice00000789_pdf.exe	payment advice00000789_pdf.exe
PID 2852 wrote to memory of 4368	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 4368	2852	Explorer.EXE	cmd.exe
PID 2852 wrote to memory of 4368	2852	Explorer.EXE	cmd.exe
PID 4368 wrote to memory of 4076	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4076	4368	cmd.exe	cmd.exe
PID 4368 wrote to memory of 4076	4368	cmd.exe	cmd.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads