formbook | cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167

General

Target

15012021546.exe
Size

893KB
MD5

85c2653a529637c000fa5ac67665dcb3
SHA1

a04c8cf5f68a0f2e5f40f5632fbbbcdaf6811cb1
SHA256

cf5a2454c16d739c04939e84f71d62772620f7d0f90df49266e8493393da7167
SHA512

79d5783b74389ded2c2189f93be15d897794978637ef124c6ab7f12e9c72a1f4a84f48853f24d4f06afc23660c79ea1adf683c7d770fa697e6adc00933ab0ff6

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.southsideflooringcreations.com/dkk/

Decoy

goldenfarmm.com

miproper.com

theutahan.com

efeteenerji.com

wellfarehealth.com

setricoo.com

enjoyablephotobooths.com

semaindustrial.com

jennywet.com

jackhughesart.com

cantgetryte.com

searko.com

zxrxhuny.icu

exoticorganicwine.com

fordexplorerproblems.com

locationwebtv.net

elinvoimainenperhe.com

mundoclik.com

nouvellenormale.com

talasnakliyat.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4068-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4068-13-0x000000000041EC00-mapping.dmp	formbook
behavioral2/memory/4092-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

15012021546.exe15012021546.exesystray.exe

description	pid	process	target process
PID 4764 set thread context of 4068	4764	15012021546.exe	15012021546.exe
PID 4068 set thread context of 2640	4068	15012021546.exe	Explorer.EXE
PID 4092 set thread context of 2640	4092	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

15012021546.exesystray.exe

pid	process
4068	15012021546.exe
4068	15012021546.exe
4068	15012021546.exe
4068	15012021546.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe
4092	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

15012021546.exesystray.exe

pid process

4068 15012021546.exe
4068 15012021546.exe
4068 15012021546.exe
4092 systray.exe
4092 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

15012021546.exesystray.exe

description pid process

Token: SeDebugPrivilege 4068 15012021546.exe
Token: SeDebugPrivilege 4092 systray.exe

description	pid	process
Token: SeDebugPrivilege	4068	15012021546.exe
Token: SeDebugPrivilege	4092	systray.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

15012021546.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 4764 wrote to memory of 4068	4764	15012021546.exe	15012021546.exe
PID 4764 wrote to memory of 4068	4764	15012021546.exe	15012021546.exe
PID 4764 wrote to memory of 4068	4764	15012021546.exe	15012021546.exe
PID 4764 wrote to memory of 4068	4764	15012021546.exe	15012021546.exe
PID 4764 wrote to memory of 4068	4764	15012021546.exe	15012021546.exe
PID 4764 wrote to memory of 4068	4764	15012021546.exe	15012021546.exe
PID 2640 wrote to memory of 4092	2640	Explorer.EXE	systray.exe
PID 2640 wrote to memory of 4092	2640	Explorer.EXE	systray.exe
PID 2640 wrote to memory of 4092	2640	Explorer.EXE	systray.exe
PID 4092 wrote to memory of 1912	4092	systray.exe	cmd.exe
PID 4092 wrote to memory of 1912	4092	systray.exe	cmd.exe
PID 4092 wrote to memory of 1912	4092	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\15012021546.exe
"C:\Users\Admin\AppData\Local\Temp\15012021546.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4764

C:\Users\Admin\AppData\Local\Temp\15012021546.exe
"C:\Users\Admin\AppData\Local\Temp\15012021546.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4068

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4092

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\15012021546.exe"
3⤵
PID:1912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1912-17-0x0000000000000000-mapping.dmp

Download
memory/2640-19-0x0000000002530000-0x00000000025E8000-memory.dmp

Filesize
736KB

Download
memory/4068-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4068-13-0x000000000041EC00-mapping.dmp

Download
memory/4092-16-0x0000000000040000-0x0000000000046000-memory.dmp

Filesize
24KB

Download
memory/4092-15-0x0000000000040000-0x0000000000046000-memory.dmp

Filesize
24KB

Download
memory/4092-14-0x0000000000000000-mapping.dmp

Download
memory/4764-7-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/4764-11-0x0000000005CB0000-0x0000000005D16000-memory.dmp

Filesize
408KB

Download
memory/4764-10-0x0000000004ED0000-0x0000000004EE2000-memory.dmp

Filesize
72KB

Download
memory/4764-9-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/4764-8-0x00000000028A0000-0x00000000028A1000-memory.dmp

Filesize
4KB

Download
memory/4764-2-0x0000000073370000-0x0000000073A5E000-memory.dmp

Filesize
6.9MB

Download
memory/4764-6-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/4764-5-0x0000000004F40000-0x0000000004F41000-memory.dmp

Filesize
4KB

Download
memory/4764-3-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads