formbook | 3dcb1921c04d6f8e9974127b4ed2d691021dae212fd4b2e9d82e3d83e7537733

General

Target

Confirm.exe
Size

1011KB
MD5

6350717e7a76e3c7a926f5e1e123b819
SHA1

93e3b8299963504ccd6d623b1814d9df69fcec5c
SHA256

3dcb1921c04d6f8e9974127b4ed2d691021dae212fd4b2e9d82e3d83e7537733
SHA512

e1c7198f72e40fa653f50a23279345bd88826bc05f75c292c82c1efba959cb62a14c084c58ec715a836c50b3278cc628eb8502b3ecd17bd5c8a81eb96e686793

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.deuxus.com/t052/

Decoy

ladybug-learning.com

unforgottenstory.com

oldmopaiv.xyz

natashaexim.com

hannahmcelgunn.com

retargetingmachines.info

njoconline.com

unicornlankadelivery.com

giftkerala.com

englishfordoctors.online

schatzilandrvresort.com

brujoisaac.com

basiccampinggear.com

escapees.today

dgyxsy888.com

stevebana.xyz

mimozakebap.com

ezdoff.com

pluumyspalace.com

shaoshanshan.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/584-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/584-13-0x000000000041ECC0-mapping.dmp	formbook
behavioral2/memory/844-14-0x0000000000000000-mapping.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Confirm.exeConfirm.execmstp.exe

description	pid	process	target process
PID 4804 set thread context of 584	4804	Confirm.exe	Confirm.exe
PID 584 set thread context of 3152	584	Confirm.exe	Explorer.EXE
PID 844 set thread context of 3152	844	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Confirm.execmstp.exe

pid	process
584	Confirm.exe
584	Confirm.exe
584	Confirm.exe
584	Confirm.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe
844	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Confirm.execmstp.exe

pid process

584 Confirm.exe
584 Confirm.exe
584 Confirm.exe
844 cmstp.exe
844 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Confirm.exeConfirm.execmstp.exe

description pid process

Token: SeDebugPrivilege 4804 Confirm.exe
Token: SeDebugPrivilege 584 Confirm.exe
Token: SeDebugPrivilege 844 cmstp.exe

description	pid	process
Token: SeDebugPrivilege	4804	Confirm.exe
Token: SeDebugPrivilege	584	Confirm.exe
Token: SeDebugPrivilege	844	cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Confirm.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4804 wrote to memory of 584	4804	Confirm.exe	Confirm.exe
PID 4804 wrote to memory of 584	4804	Confirm.exe	Confirm.exe
PID 4804 wrote to memory of 584	4804	Confirm.exe	Confirm.exe
PID 4804 wrote to memory of 584	4804	Confirm.exe	Confirm.exe
PID 4804 wrote to memory of 584	4804	Confirm.exe	Confirm.exe
PID 4804 wrote to memory of 584	4804	Confirm.exe	Confirm.exe
PID 3152 wrote to memory of 844	3152	Explorer.EXE	cmstp.exe
PID 3152 wrote to memory of 844	3152	Explorer.EXE	cmstp.exe
PID 3152 wrote to memory of 844	3152	Explorer.EXE	cmstp.exe
PID 844 wrote to memory of 652	844	cmstp.exe	cmd.exe
PID 844 wrote to memory of 652	844	cmstp.exe	cmd.exe
PID 844 wrote to memory of 652	844	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3152

C:\Users\Admin\AppData\Local\Temp\Confirm.exe
"C:\Users\Admin\AppData\Local\Temp\Confirm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4804

C:\Users\Admin\AppData\Local\Temp\Confirm.exe
"C:\Users\Admin\AppData\Local\Temp\Confirm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:584

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Confirm.exe"
3⤵
PID:652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/584-13-0x000000000041ECC0-mapping.dmp

Download
memory/652-17-0x0000000000000000-mapping.dmp

Download
memory/844-16-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/844-15-0x0000000000D30000-0x0000000000D46000-memory.dmp

Filesize
88KB

Download
memory/844-14-0x0000000000000000-mapping.dmp

Download
memory/4804-6-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/4804-10-0x0000000005780000-0x0000000005793000-memory.dmp

Filesize
76KB

Download
memory/4804-11-0x0000000000E80000-0x0000000000EEA000-memory.dmp

Filesize
424KB

Download
memory/4804-9-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4804-8-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/4804-7-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/4804-2-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4804-5-0x0000000005200000-0x0000000005201000-memory.dmp

Filesize
4KB

Download
memory/4804-3-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads