formbook | bae8d59b05bc0896419e973105103ada842908c24340e88e7444b7c640664b83

General

Target

mTF1eRdnr0OV8c4.exe
Size

863KB
MD5

109a86a9bff8c2bed48d2538fc38f45a
SHA1

8ecb82a010603806273c4c76d374cf53c622c0ed
SHA256

bae8d59b05bc0896419e973105103ada842908c24340e88e7444b7c640664b83
SHA512

1eef1d45689f8080cc9d8a2ebc19aefabe0e52ac6bf9653522e4116d9eff19047b5032a205fd78867a710f18842e0befe141044f0b1194df9ce84144ce626b0c

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.badstar.net/tmz/

Decoy

easywebplacenetlaramie.com

kushions.today

wallsbilplat.com

csgetdegrees.com

wujuenong.net

bhsentertainmentnews.com

worpar.com

ivappsglobal.com

talktogiamfoods.com

nagoyasteakandsushi.com

blockchaininfo.site

unitylinkonlie.com

sofiavoz.com

livesportsite.com

wishesandmessages.com

diningroomspaintcolorsideas.com

landnlushscents.com

metrosdahospitals.com

coast2coastrent.com

turkhristiyanbirligi.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1212-7-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1212-8-0x000000000041EB70-mapping.dmp	formbook
behavioral1/memory/1020-9-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

576 cmd.exe

pid	process
576	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mTF1eRdnr0OV8c4.exemTF1eRdnr0OV8c4.exewuapp.exe

description	pid	process	target process
PID 1080 set thread context of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1212 set thread context of 1256	1212	mTF1eRdnr0OV8c4.exe	Explorer.EXE
PID 1020 set thread context of 1256	1020	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

mTF1eRdnr0OV8c4.exemTF1eRdnr0OV8c4.exewuapp.exe

pid	process
1080	mTF1eRdnr0OV8c4.exe
1080	mTF1eRdnr0OV8c4.exe
1212	mTF1eRdnr0OV8c4.exe
1212	mTF1eRdnr0OV8c4.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe
1020	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mTF1eRdnr0OV8c4.exewuapp.exe

pid process

1212 mTF1eRdnr0OV8c4.exe
1212 mTF1eRdnr0OV8c4.exe
1212 mTF1eRdnr0OV8c4.exe
1020 wuapp.exe
1020 wuapp.exe

pid	process
1212	mTF1eRdnr0OV8c4.exe
1212	mTF1eRdnr0OV8c4.exe
1212	mTF1eRdnr0OV8c4.exe
1020	wuapp.exe
1020	wuapp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

mTF1eRdnr0OV8c4.exemTF1eRdnr0OV8c4.exewuapp.exe

description	pid	process
Token: SeDebugPrivilege	1080	mTF1eRdnr0OV8c4.exe
Token: SeDebugPrivilege	1212	mTF1eRdnr0OV8c4.exe
Token: SeDebugPrivilege	1020	wuapp.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE
1256 Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

mTF1eRdnr0OV8c4.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1080 wrote to memory of 1748	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1748	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1748	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1748	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1080 wrote to memory of 1212	1080	mTF1eRdnr0OV8c4.exe	mTF1eRdnr0OV8c4.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 1020	1256	Explorer.EXE	wuapp.exe
PID 1020 wrote to memory of 576	1020	wuapp.exe	cmd.exe
PID 1020 wrote to memory of 576	1020	wuapp.exe	cmd.exe
PID 1020 wrote to memory of 576	1020	wuapp.exe	cmd.exe
PID 1020 wrote to memory of 576	1020	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe
"C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe
"{path}"
3⤵
PID:1748

C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1212

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1020

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mTF1eRdnr0OV8c4.exe"
3⤵
- Deletes itself
PID:576

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/576-11-0x0000000000000000-mapping.dmp

Download
memory/1020-9-0x0000000000000000-mapping.dmp

Download
memory/1020-10-0x0000000001130000-0x000000000113B000-memory.dmp

Filesize
44KB

Download
memory/1020-12-0x0000000003110000-0x0000000003286000-memory.dmp

Filesize
1.5MB

Download
memory/1080-2-0x0000000074CF0000-0x00000000753DE000-memory.dmp

Filesize
6.9MB

Download
memory/1080-3-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/1080-5-0x0000000000310000-0x000000000031E000-memory.dmp

Filesize
56KB

Download
memory/1080-6-0x00000000051A0000-0x0000000005230000-memory.dmp

Filesize
576KB

Download
memory/1212-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1212-8-0x000000000041EB70-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads