formbook | d295487f9604941495341ea43a4f21b3beed094c81225ab75e41a0b10541ad9b

General

Target

payment advice002436_pdf.exe
Size

680KB
MD5

55315ebd192457168fb45e0e2dfd34b9
SHA1

4ef2765a6d996301ba1f071cd8a47c5a8a9e82fe
SHA256

d295487f9604941495341ea43a4f21b3beed094c81225ab75e41a0b10541ad9b
SHA512

5dbc71ea1b14d14aceef251499fdfaffd0703dd677f7716741bd82ae7396bbf4b38f50d0a5dc4e0b56a330a62364a0caf015c6762098c4449c4d0c9251abf191

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aftabzahur.com/wgn/

Decoy

kokokara-life-blog.com

faswear.com

futureleadershiptoday.com

date4done.xyz

thecouponinn.com

bbeycarpetsf.com

propolisnasalspray.com

jinjudiamond.com

goodevectors.com

nehyam.com

evalinkapuppets.com

what-if-statistics.com

rateofrisk.com

impacttestonlinne.com

servis-kaydet.info

coloniacafe.com

marcemarketing.com

aarigging.com

goddesswitchery.com

jasqblo.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2128-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2128-12-0x000000000041EAC0-mapping.dmp	formbook
behavioral2/memory/2064-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

payment advice002436_pdf.exepayment advice002436_pdf.execontrol.exe

description	pid	process	target process
PID 3992 set thread context of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 2128 set thread context of 3036	2128	payment advice002436_pdf.exe	Explorer.EXE
PID 2064 set thread context of 3036	2064	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

payment advice002436_pdf.execontrol.exe

pid	process
2128	payment advice002436_pdf.exe
2128	payment advice002436_pdf.exe
2128	payment advice002436_pdf.exe
2128	payment advice002436_pdf.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe
2064	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

payment advice002436_pdf.execontrol.exe

pid process

2128 payment advice002436_pdf.exe
2128 payment advice002436_pdf.exe
2128 payment advice002436_pdf.exe
2064 control.exe
2064 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

payment advice002436_pdf.execontrol.exe

description pid process

Token: SeDebugPrivilege 2128 payment advice002436_pdf.exe
Token: SeDebugPrivilege 2064 control.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3036 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2128	payment advice002436_pdf.exe
Token: SeDebugPrivilege	2064	control.exe

pid	process
3036	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

payment advice002436_pdf.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3992 wrote to memory of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 3992 wrote to memory of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 3992 wrote to memory of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 3992 wrote to memory of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 3992 wrote to memory of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 3992 wrote to memory of 2128	3992	payment advice002436_pdf.exe	payment advice002436_pdf.exe
PID 3036 wrote to memory of 2064	3036	Explorer.EXE	control.exe
PID 3036 wrote to memory of 2064	3036	Explorer.EXE	control.exe
PID 3036 wrote to memory of 2064	3036	Explorer.EXE	control.exe
PID 2064 wrote to memory of 3912	2064	control.exe	cmd.exe
PID 2064 wrote to memory of 3912	2064	control.exe	cmd.exe
PID 2064 wrote to memory of 3912	2064	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\payment advice002436_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\payment advice002436_pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\payment advice002436_pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2128

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2064

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment advice002436_pdf.exe"
3⤵
PID:3912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-18-0x00000000056B0000-0x00000000057EE000-memory.dmp

Filesize
1.2MB

Download
memory/2064-16-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2064-15-0x00000000003D0000-0x00000000003F0000-memory.dmp

Filesize
128KB

Download
memory/2064-14-0x0000000000000000-mapping.dmp

Download
memory/2128-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2128-12-0x000000000041EAC0-mapping.dmp

Download
memory/3912-17-0x0000000000000000-mapping.dmp

Download
memory/3992-6-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/3992-10-0x0000000007BD0000-0x0000000007BD1000-memory.dmp

Filesize
4KB

Download
memory/3992-9-0x0000000007A90000-0x0000000007B24000-memory.dmp

Filesize
592KB

Download
memory/3992-8-0x0000000005650000-0x000000000565E000-memory.dmp

Filesize
56KB

Download
memory/3992-7-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3992-2-0x00000000738E0000-0x0000000073FCE000-memory.dmp

Filesize
6.9MB

Download
memory/3992-5-0x0000000005AD0000-0x0000000005AD1000-memory.dmp

Filesize
4KB

Download
memory/3992-3-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads