formbook | 709b457160612a42a7714a517690760f05b09fb55f61570632500aa14328deec

General

Target

PO101420.exe
Size

837KB
MD5

ff9de567dd3c2aa2ebcb5e0450964875
SHA1

aeb352d5031fa9cd1f5a3e1a69c4c4740634956c
SHA256

709b457160612a42a7714a517690760f05b09fb55f61570632500aa14328deec
SHA512

b850406f9db839d5678997713034106c94c36d500f774ae222a086dcb9e693f450ba686f6ab13f6e9a07bf91e9aa92626a49e73a761d80c502c89f2ab3be279e

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.hundsprobleme.com/fcxy/

Decoy

3dimex.com

heartgem.net

jhfctzdsna.club

lurapures.com

musclegirlfix.com

zebragenetics.com

evyneellis.com

jiaxiaozx.com

kayanmag.com

ufomars.com

liverepaire.com

hitspluz.com

regulargirlhair.com

lafleurdulis.com

secretsseniorengineersknow.com

zoerichards.photos

alphaappraisal.net

southernrussia.com

jbskatingmuseum.com

lawxorder.art

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/932-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/932-12-0x000000000041ECE0-mapping.dmp	formbook
behavioral2/memory/2828-13-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO101420.exeMSBuild.execmstp.exe

description	pid	process	target process
PID 4040 set thread context of 932	4040	PO101420.exe	MSBuild.exe
PID 932 set thread context of 3068	932	MSBuild.exe	Explorer.EXE
PID 2828 set thread context of 3068	2828	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

MSBuild.execmstp.exe

pid	process
932	MSBuild.exe
932	MSBuild.exe
932	MSBuild.exe
932	MSBuild.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe
2828	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.execmstp.exe

pid process

932 MSBuild.exe
932 MSBuild.exe
932 MSBuild.exe
2828 cmstp.exe
2828 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSBuild.execmstp.exe

description pid process

Token: SeDebugPrivilege 932 MSBuild.exe
Token: SeDebugPrivilege 2828 cmstp.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3068 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	932	MSBuild.exe
Token: SeDebugPrivilege	2828	cmstp.exe

pid	process
3068	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO101420.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4040 wrote to memory of 932	4040	PO101420.exe	MSBuild.exe
PID 4040 wrote to memory of 932	4040	PO101420.exe	MSBuild.exe
PID 4040 wrote to memory of 932	4040	PO101420.exe	MSBuild.exe
PID 4040 wrote to memory of 932	4040	PO101420.exe	MSBuild.exe
PID 4040 wrote to memory of 932	4040	PO101420.exe	MSBuild.exe
PID 4040 wrote to memory of 932	4040	PO101420.exe	MSBuild.exe
PID 3068 wrote to memory of 2828	3068	Explorer.EXE	cmstp.exe
PID 3068 wrote to memory of 2828	3068	Explorer.EXE	cmstp.exe
PID 3068 wrote to memory of 2828	3068	Explorer.EXE	cmstp.exe
PID 2828 wrote to memory of 1516	2828	cmstp.exe	cmd.exe
PID 2828 wrote to memory of 1516	2828	cmstp.exe	cmd.exe
PID 2828 wrote to memory of 1516	2828	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3068

C:\Users\Admin\AppData\Local\Temp\PO101420.exe
"C:\Users\Admin\AppData\Local\Temp\PO101420.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4040

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2828

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:1516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/932-12-0x000000000041ECE0-mapping.dmp

Download
memory/1516-16-0x0000000000000000-mapping.dmp

Download
memory/2828-17-0x0000000005A20000-0x0000000005B49000-memory.dmp

Filesize
1.2MB

Download
memory/2828-15-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/2828-14-0x0000000001040000-0x0000000001056000-memory.dmp

Filesize
88KB

Download
memory/2828-13-0x0000000000000000-mapping.dmp

Download
memory/4040-6-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/4040-10-0x0000000007490000-0x0000000007491000-memory.dmp

Filesize
4KB

Download
memory/4040-9-0x0000000007350000-0x00000000073DD000-memory.dmp

Filesize
564KB

Download
memory/4040-8-0x0000000005190000-0x000000000519E000-memory.dmp

Filesize
56KB

Download
memory/4040-7-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/4040-2-0x00000000733D0000-0x0000000073ABE000-memory.dmp

Filesize
6.9MB

Download
memory/4040-5-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4040-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads