formbook | 8aecd1adbf0fe3c5e9e40c19893c1ca3464ed8e0502bfdb4acb871b95009f956

General

Target

inn.exe
Size

311KB
MD5

fb4693dd2160e94606e349abfc64dcb9
SHA1

3805cd24586cc1422cb2d2ee14dc14fa3c6b390b
SHA256

8aecd1adbf0fe3c5e9e40c19893c1ca3464ed8e0502bfdb4acb871b95009f956
SHA512

2551bf1d8cc8ca47f79a97e733fa0c48fd98658a6bad85c2e60979e32aafff67b41eebef5b3acd1a7a0ee3cdeff05783351187cd62f2623ee3af93c6ce5177d6

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.afrogurls.com/wzpq/

Decoy

buybabyone.com

staandwerken.store

owhinc.com

perfindet.com

bustapeople.com

xfucksex.com

ahayah.online

xorhuman.com

majorsteeshirtexpress.com

webbazaar.net

bestsalem.net

34biererstreet.com

englishfactorynyc.com

qr-url.com

netentfreespinsx.com

jimellissandysprings.com

undertablecashjobs.com

lhyzpark.com

screenwritingmanual.com

paloyalabolsa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1956-2-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1956-3-0x000000000041ED30-mapping.dmp	formbook
behavioral1/memory/1888-4-0x00000000004D0000-0x00000000004F5000-memory.dmp	formbook
behavioral1/memory/1560-5-0x0000000000000000-mapping.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

748 cmd.exe

pid	process
748	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

inn.exeinn.exerundll32.exe

description	pid	process	target process
PID 1888 set thread context of 1956	1888	inn.exe	inn.exe
PID 1956 set thread context of 1236	1956	inn.exe	Explorer.EXE
PID 1560 set thread context of 1236	1560	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

inn.exerundll32.exe

pid	process
1956	inn.exe
1956	inn.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe
1560	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

inn.exeinn.exerundll32.exe

pid process

1888 inn.exe
1956 inn.exe
1956 inn.exe
1956 inn.exe
1560 rundll32.exe
1560 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

inn.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1956 inn.exe
Token: SeDebugPrivilege 1560 rundll32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE
1236 Explorer.EXE

pid	process
1236	Explorer.EXE

pid	process
1888	inn.exe
1956	inn.exe
1956	inn.exe
1956	inn.exe
1560	rundll32.exe
1560	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1956	inn.exe
Token: SeDebugPrivilege	1560	rundll32.exe

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

inn.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1888 wrote to memory of 1956	1888	inn.exe	inn.exe
PID 1888 wrote to memory of 1956	1888	inn.exe	inn.exe
PID 1888 wrote to memory of 1956	1888	inn.exe	inn.exe
PID 1888 wrote to memory of 1956	1888	inn.exe	inn.exe
PID 1888 wrote to memory of 1956	1888	inn.exe	inn.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1236 wrote to memory of 1560	1236	Explorer.EXE	rundll32.exe
PID 1560 wrote to memory of 748	1560	rundll32.exe	cmd.exe
PID 1560 wrote to memory of 748	1560	rundll32.exe	cmd.exe
PID 1560 wrote to memory of 748	1560	rundll32.exe	cmd.exe
PID 1560 wrote to memory of 748	1560	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\inn.exe
"C:\Users\Admin\AppData\Local\Temp\inn.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\inn.exe
"C:\Users\Admin\AppData\Local\Temp\inn.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1560

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\inn.exe"
3⤵
- Deletes itself
PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-7-0x0000000000000000-mapping.dmp

Download
memory/1560-5-0x0000000000000000-mapping.dmp

Download
memory/1560-6-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1560-8-0x0000000003140000-0x000000000327C000-memory.dmp

Filesize
1.2MB

Download
memory/1888-4-0x00000000004D0000-0x00000000004F5000-memory.dmp

Filesize
148KB

Download
memory/1956-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1956-3-0x000000000041ED30-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads