formbook | bfa63841a36301ed60a4a0c177ad229a1b09266034182b7c8695fa5d7324f0b4

General

Target

inv.exe
Size

343KB
MD5

59ca7615f52a57b4d4528956889491ca
SHA1

790ffd88a22f28df64c491e9fef87d50ceb9bfb7
SHA256

bfa63841a36301ed60a4a0c177ad229a1b09266034182b7c8695fa5d7324f0b4
SHA512

6564a9edcc216bfde643e24604cb2f536ea997bf902d933c40760ff834decb990f2f70f968484a27619551e4e493adcf867f0a19c1806a8142845692102f95fd

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.nationshiphop.com/hko6/

Decoy

apartmentsineverettwa.com

forritcu.net

hotroodes.com

skinnerttc.com

royaltrustmyanmar.com

adreslog.com

kaysbridalboutiques.com

multitask-improvements.com

geniiforum.com

smarthomehatinh.asia

banglikeaboss.com

javlover.club

affiliateclubindia.com

mycapecoralhomevalue.com

comparamuebles.online

newrochellenissan.com

nairobi-paris.com

fwk.xyz

downdepot.com

nextgenmemorabilia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2008-5-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

inv.exe

description pid process target process

PID 1852 set thread context of 2008 1852 inv.exe inv.exe
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1384 2008 WerFault.exe inv.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

1384 WerFault.exe
1384 WerFault.exe
1384 WerFault.exe
1384 WerFault.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

inv.exe

pid process

1852 inv.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1384 WerFault.exe

description	pid	process	target process
PID 1852 set thread context of 2008	1852	inv.exe	inv.exe

pid	pid_target	process	target process
1384	2008	WerFault.exe	inv.exe

pid	process
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe
1384	WerFault.exe

pid	process
1852	inv.exe

description	pid	process
Token: SeDebugPrivilege	1384	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

inv.exeinv.exe

description	pid	process	target process
PID 1852 wrote to memory of 2008	1852	inv.exe	inv.exe
PID 1852 wrote to memory of 2008	1852	inv.exe	inv.exe
PID 1852 wrote to memory of 2008	1852	inv.exe	inv.exe
PID 1852 wrote to memory of 2008	1852	inv.exe	inv.exe
PID 1852 wrote to memory of 2008	1852	inv.exe	inv.exe
PID 2008 wrote to memory of 1384	2008	inv.exe	WerFault.exe
PID 2008 wrote to memory of 1384	2008	inv.exe	WerFault.exe
PID 2008 wrote to memory of 1384	2008	inv.exe	WerFault.exe
PID 2008 wrote to memory of 1384	2008	inv.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\inv.exe
"C:\Users\Admin\AppData\Local\Temp\inv.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:1852

C:\Users\Admin\AppData\Local\Temp\inv.exe
"C:\Users\Admin\AppData\Local\Temp\inv.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:2008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2008 -s 36
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1384

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1384-3-0x0000000000000000-mapping.dmp

Download
memory/1384-4-0x0000000002070000-0x0000000002081000-memory.dmp

Filesize
68KB

Download
memory/1384-6-0x00000000025A0000-0x00000000025B1000-memory.dmp

Filesize
68KB

Download
memory/1384-7-0x00000000756C1000-0x00000000756C3000-memory.dmp

Filesize
8KB

Download
memory/1384-8-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2008-2-0x000000000041ECF0-mapping.dmp

Download
memory/2008-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing