formbook | 7a47a855968f4e82d6cc2d35186d2d56468701bc5587cc87f82a847bd2c45ae5

General

Target

PI_JAN9071011998_BARYSLpdf.exe
Size

941KB
MD5

31dddef6168b1d0e0f731f01eca9ea58
SHA1

bd1e997473e71ae2e8021298149b692cb84aab54
SHA256

7a47a855968f4e82d6cc2d35186d2d56468701bc5587cc87f82a847bd2c45ae5
SHA512

de6ceb15b960f8b6ab95438b04495974c200086447b4b4d91401af936105a2bf66888913e16ba1ffb7a171aa1de0a7fabb6f02979362a3bef978f011571b8ebb

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.thedilleyo.com/kb8/

Decoy

goodsforbuilders.com

dafuhe.com

parapharmacity.com

montclairymcamotionvibe.com

jamesmccloudart.com

reignfallentertainment.com

couplesforequality.com

pitchbop.com

minipresspaperco.com

venoam.com

so-paradise.com

surgeryprovider.com

donaldscareers.com

disney-funlife.com

biosolo.net

themodsmith.net

grandhawaiian.com

11mountains.com

immatesearch.com

stochastichq.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3612-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3612-12-0x000000000041EB70-mapping.dmp	formbook
behavioral2/memory/2232-13-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PI_JAN9071011998_BARYSLpdf.exePI_JAN9071011998_BARYSLpdf.exewscript.exe

description	pid	process	target process
PID 508 set thread context of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 3612 set thread context of 3016	3612	PI_JAN9071011998_BARYSLpdf.exe	Explorer.EXE
PID 2232 set thread context of 3016	2232	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

PI_JAN9071011998_BARYSLpdf.exewscript.exe

pid	process
3612	PI_JAN9071011998_BARYSLpdf.exe
3612	PI_JAN9071011998_BARYSLpdf.exe
3612	PI_JAN9071011998_BARYSLpdf.exe
3612	PI_JAN9071011998_BARYSLpdf.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe
2232	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PI_JAN9071011998_BARYSLpdf.exewscript.exe

pid process

3612 PI_JAN9071011998_BARYSLpdf.exe
3612 PI_JAN9071011998_BARYSLpdf.exe
3612 PI_JAN9071011998_BARYSLpdf.exe
2232 wscript.exe
2232 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PI_JAN9071011998_BARYSLpdf.exewscript.exe

description pid process

Token: SeDebugPrivilege 3612 PI_JAN9071011998_BARYSLpdf.exe
Token: SeDebugPrivilege 2232 wscript.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3016 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3612	PI_JAN9071011998_BARYSLpdf.exe
Token: SeDebugPrivilege	2232	wscript.exe

pid	process
3016	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PI_JAN9071011998_BARYSLpdf.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 508 wrote to memory of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 508 wrote to memory of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 508 wrote to memory of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 508 wrote to memory of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 508 wrote to memory of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 508 wrote to memory of 3612	508	PI_JAN9071011998_BARYSLpdf.exe	PI_JAN9071011998_BARYSLpdf.exe
PID 3016 wrote to memory of 2232	3016	Explorer.EXE	wscript.exe
PID 3016 wrote to memory of 2232	3016	Explorer.EXE	wscript.exe
PID 3016 wrote to memory of 2232	3016	Explorer.EXE	wscript.exe
PID 2232 wrote to memory of 3808	2232	wscript.exe	cmd.exe
PID 2232 wrote to memory of 3808	2232	wscript.exe	cmd.exe
PID 2232 wrote to memory of 3808	2232	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3016

C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe
"C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:508

C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3612

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI_JAN9071011998_BARYSLpdf.exe"
3⤵
PID:3808

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-9-0x0000000005C40000-0x0000000005C8C000-memory.dmp

Filesize
304KB

Download
memory/508-2-0x0000000073520000-0x0000000073C0E000-memory.dmp

Filesize
6.9MB

Download
memory/508-5-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/508-6-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/508-7-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/508-8-0x00000000051E0000-0x00000000051EE000-memory.dmp

Filesize
56KB

Download
memory/508-3-0x00000000006D0000-0x00000000006D1000-memory.dmp

Filesize
4KB

Download
memory/508-10-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/2232-13-0x0000000000000000-mapping.dmp

Download
memory/2232-14-0x0000000001130000-0x0000000001157000-memory.dmp

Filesize
156KB

Download
memory/2232-15-0x0000000001130000-0x0000000001157000-memory.dmp

Filesize
156KB

Download
memory/2232-17-0x0000000006240000-0x00000000063CF000-memory.dmp

Filesize
1.6MB

Download
memory/3612-12-0x000000000041EB70-mapping.dmp

Download
memory/3612-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3808-16-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads