formbook | 931f6aeff35cea88af521bc2cdca24164113c47ab3153e148e33d5bce66313f4

General

Target

urgent specification request.exe
Size

1.0MB
MD5

72a9c8f82996953e9fa72e5e0b85afca
SHA1

33f74928d66e687c2f981f9219a92d936152cbaf
SHA256

931f6aeff35cea88af521bc2cdca24164113c47ab3153e148e33d5bce66313f4
SHA512

ed85947f1b9f04e1d84646386b635c05dce66f063b3095b9873adbfa5b6c14b7f4bcc385aa14c0a2da4efd772e9278a517f58ff6b31d7f654d325d2efd0fdddd

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.timoniks.com/rbg/

Decoy

fingermode.com

parkplace.finance

hollandgreen2020.com

starbets.site

vehiculesfrigorifiques.com

sydiifinancial.com

rpivuenation.com

freesubdirectory.com

independencepartynyc.com

dogruparti.info

independencecountyclub.com

midnightlashesbykim.com

digitalsept.com

whatilikeabouttoday.com

marktplaatsaccount.info

13400667334.com

xinwei-ge.com

login-appleid.info

momashands.com

kennyxpress.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/108-7-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/108-8-0x000000000041EB40-mapping.dmp	formbook
behavioral1/memory/1504-10-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

304 cmd.exe

pid	process
304	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

urgent specification request.exeurgent specification request.exewininit.exe

description	pid	process	target process
PID 1848 set thread context of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 108 set thread context of 1192	108	urgent specification request.exe	Explorer.EXE
PID 108 set thread context of 1192	108	urgent specification request.exe	Explorer.EXE
PID 1504 set thread context of 1192	1504	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

urgent specification request.exewininit.exe

pid	process
108	urgent specification request.exe
108	urgent specification request.exe
108	urgent specification request.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe
1504	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

urgent specification request.exewininit.exe

pid	process
108	urgent specification request.exe
108	urgent specification request.exe
108	urgent specification request.exe
108	urgent specification request.exe
1504	wininit.exe
1504	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

urgent specification request.exewininit.exe

description pid process

Token: SeDebugPrivilege 108 urgent specification request.exe
Token: SeDebugPrivilege 1504 wininit.exe

description	pid	process
Token: SeDebugPrivilege	108	urgent specification request.exe
Token: SeDebugPrivilege	1504	wininit.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

urgent specification request.exeurgent specification request.exewininit.exe

description	pid	process	target process
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 1848 wrote to memory of 108	1848	urgent specification request.exe	urgent specification request.exe
PID 108 wrote to memory of 1504	108	urgent specification request.exe	wininit.exe
PID 108 wrote to memory of 1504	108	urgent specification request.exe	wininit.exe
PID 108 wrote to memory of 1504	108	urgent specification request.exe	wininit.exe
PID 108 wrote to memory of 1504	108	urgent specification request.exe	wininit.exe
PID 1504 wrote to memory of 304	1504	wininit.exe	cmd.exe
PID 1504 wrote to memory of 304	1504	wininit.exe	cmd.exe
PID 1504 wrote to memory of 304	1504	wininit.exe	cmd.exe
PID 1504 wrote to memory of 304	1504	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192

C:\Users\Admin\AppData\Local\Temp\urgent specification request.exe
"C:\Users\Admin\AppData\Local\Temp\urgent specification request.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1848

C:\Users\Admin\AppData\Local\Temp\urgent specification request.exe
"C:\Users\Admin\AppData\Local\Temp\urgent specification request.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:108

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\urgent specification request.exe"
5⤵
- Deletes itself
PID:304

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/108-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/108-8-0x000000000041EB40-mapping.dmp

Download
memory/304-12-0x0000000000000000-mapping.dmp

Download
memory/1192-9-0x0000000007030000-0x00000000071D7000-memory.dmp

Filesize
1.7MB

Download
memory/1192-14-0x0000000007820000-0x0000000007976000-memory.dmp

Filesize
1.3MB

Download
memory/1504-10-0x0000000000000000-mapping.dmp

Download
memory/1504-11-0x0000000000790000-0x00000000007AA000-memory.dmp

Filesize
104KB

Download
memory/1504-13-0x0000000002FB0000-0x000000000304E000-memory.dmp

Filesize
632KB

Download
memory/1848-2-0x0000000074590000-0x0000000074C7E000-memory.dmp

Filesize
6.9MB

Download
memory/1848-3-0x0000000000B90000-0x0000000000B91000-memory.dmp

Filesize
4KB

Download
memory/1848-5-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/1848-6-0x00000000054A0000-0x000000000550B000-memory.dmp

Filesize
428KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads