formbook | 8aecd1adbf0fe3c5e9e40c19893c1ca3464ed8e0502bfdb4acb871b95009f956

General

Target

inn.exe
Size

311KB
MD5

fb4693dd2160e94606e349abfc64dcb9
SHA1

3805cd24586cc1422cb2d2ee14dc14fa3c6b390b
SHA256

8aecd1adbf0fe3c5e9e40c19893c1ca3464ed8e0502bfdb4acb871b95009f956
SHA512

2551bf1d8cc8ca47f79a97e733fa0c48fd98658a6bad85c2e60979e32aafff67b41eebef5b3acd1a7a0ee3cdeff05783351187cd62f2623ee3af93c6ce5177d6

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.afrogurls.com/wzpq/

Decoy

buybabyone.com

staandwerken.store

owhinc.com

perfindet.com

bustapeople.com

xfucksex.com

ahayah.online

xorhuman.com

majorsteeshirtexpress.com

webbazaar.net

bestsalem.net

34biererstreet.com

englishfactorynyc.com

qr-url.com

netentfreespinsx.com

jimellissandysprings.com

undertablecashjobs.com

lhyzpark.com

screenwritingmanual.com

paloyalabolsa.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1624-2-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1624-3-0x000000000041ED30-mapping.dmp	formbook
behavioral2/memory/2996-5-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

inn.exeinn.exemsiexec.exe

description	pid	process	target process
PID 580 set thread context of 1624	580	inn.exe	inn.exe
PID 1624 set thread context of 2580	1624	inn.exe	Explorer.EXE
PID 2996 set thread context of 2580	2996	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

inn.exemsiexec.exe

pid	process
1624	inn.exe
1624	inn.exe
1624	inn.exe
1624	inn.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe
2996	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

inn.exeinn.exemsiexec.exe

pid process

580 inn.exe
1624 inn.exe
1624 inn.exe
1624 inn.exe
2996 msiexec.exe
2996 msiexec.exe

pid	process
580	inn.exe
1624	inn.exe
1624	inn.exe
1624	inn.exe
2996	msiexec.exe
2996	msiexec.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

inn.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	1624	inn.exe
Token: SeDebugPrivilege	2996	msiexec.exe
Token: SeShutdownPrivilege	2580	Explorer.EXE
Token: SeCreatePagefilePrivilege	2580	Explorer.EXE
Token: SeShutdownPrivilege	2580	Explorer.EXE
Token: SeCreatePagefilePrivilege	2580	Explorer.EXE
Token: SeShutdownPrivilege	2580	Explorer.EXE
Token: SeCreatePagefilePrivilege	2580	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2580 Explorer.EXE

pid	process
2580	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

inn.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 580 wrote to memory of 1624	580	inn.exe	inn.exe
PID 580 wrote to memory of 1624	580	inn.exe	inn.exe
PID 580 wrote to memory of 1624	580	inn.exe	inn.exe
PID 580 wrote to memory of 1624	580	inn.exe	inn.exe
PID 2580 wrote to memory of 2996	2580	Explorer.EXE	msiexec.exe
PID 2580 wrote to memory of 2996	2580	Explorer.EXE	msiexec.exe
PID 2580 wrote to memory of 2996	2580	Explorer.EXE	msiexec.exe
PID 2996 wrote to memory of 3024	2996	msiexec.exe	cmd.exe
PID 2996 wrote to memory of 3024	2996	msiexec.exe	cmd.exe
PID 2996 wrote to memory of 3024	2996	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2580

C:\Users\Admin\AppData\Local\Temp\inn.exe
"C:\Users\Admin\AppData\Local\Temp\inn.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:580

C:\Users\Admin\AppData\Local\Temp\inn.exe
"C:\Users\Admin\AppData\Local\Temp\inn.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1624

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2996

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\inn.exe"
3⤵
PID:3024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1624-3-0x000000000041ED30-mapping.dmp

Download
memory/2996-5-0x0000000000000000-mapping.dmp

Download
memory/2996-6-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2996-7-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2996-9-0x0000000005AC0000-0x0000000005B9C000-memory.dmp

Filesize
880KB

Download
memory/3024-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads