formbook | bfa63841a36301ed60a4a0c177ad229a1b09266034182b7c8695fa5d7324f0b4

General

Target

inv.exe
Size

343KB
MD5

59ca7615f52a57b4d4528956889491ca
SHA1

790ffd88a22f28df64c491e9fef87d50ceb9bfb7
SHA256

bfa63841a36301ed60a4a0c177ad229a1b09266034182b7c8695fa5d7324f0b4
SHA512

6564a9edcc216bfde643e24604cb2f536ea997bf902d933c40760ff834decb990f2f70f968484a27619551e4e493adcf867f0a19c1806a8142845692102f95fd

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.nationshiphop.com/hko6/

Decoy

apartmentsineverettwa.com

forritcu.net

hotroodes.com

skinnerttc.com

royaltrustmyanmar.com

adreslog.com

kaysbridalboutiques.com

multitask-improvements.com

geniiforum.com

smarthomehatinh.asia

banglikeaboss.com

javlover.club

affiliateclubindia.com

mycapecoralhomevalue.com

comparamuebles.online

newrochellenissan.com

nairobi-paris.com

fwk.xyz

downdepot.com

nextgenmemorabilia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3476-3-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3824-11-0x0000000002DB0000-0x0000000002DDE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

inv.exeinv.exemstsc.exe

description	pid	process	target process
PID 4760 set thread context of 3476	4760	inv.exe	inv.exe
PID 3476 set thread context of 2640	3476	inv.exe	Explorer.EXE
PID 3824 set thread context of 2640	3824	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

inv.exemstsc.exe

pid	process
3476	inv.exe
3476	inv.exe
3476	inv.exe
3476	inv.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe
3824	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

inv.exeinv.exemstsc.exe

pid process

4760 inv.exe
3476 inv.exe
3476 inv.exe
3476 inv.exe
3824 mstsc.exe
3824 mstsc.exe

pid	process
4760	inv.exe
3476	inv.exe
3476	inv.exe
3476	inv.exe
3824	mstsc.exe
3824	mstsc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

Processes:

inv.exeExplorer.EXEmstsc.exe

description	pid	process
Token: SeDebugPrivilege	3476	inv.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeDebugPrivilege	3824	mstsc.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2640 Explorer.EXE

pid	process
2640	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

inv.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 4760 wrote to memory of 3476	4760	inv.exe	inv.exe
PID 4760 wrote to memory of 3476	4760	inv.exe	inv.exe
PID 4760 wrote to memory of 3476	4760	inv.exe	inv.exe
PID 4760 wrote to memory of 3476	4760	inv.exe	inv.exe
PID 2640 wrote to memory of 3824	2640	Explorer.EXE	mstsc.exe
PID 2640 wrote to memory of 3824	2640	Explorer.EXE	mstsc.exe
PID 2640 wrote to memory of 3824	2640	Explorer.EXE	mstsc.exe
PID 3824 wrote to memory of 3384	3824	mstsc.exe	cmd.exe
PID 3824 wrote to memory of 3384	3824	mstsc.exe	cmd.exe
PID 3824 wrote to memory of 3384	3824	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2640

C:\Users\Admin\AppData\Local\Temp\inv.exe
"C:\Users\Admin\AppData\Local\Temp\inv.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\inv.exe
"C:\Users\Admin\AppData\Local\Temp\inv.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3476

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3824

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\inv.exe"
3⤵
PID:3384

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2640-7-0x0000000002530000-0x000000000262E000-memory.dmp

Filesize
1016KB

Download
memory/2640-14-0x0000000004B10000-0x0000000004BFC000-memory.dmp

Filesize
944KB

Download
memory/3384-9-0x0000000000000000-mapping.dmp

Download
memory/3476-2-0x000000000041ECF0-mapping.dmp

Download
memory/3476-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3476-4-0x00000000017B0000-0x0000000001AD0000-memory.dmp

Filesize
3.1MB

Download
memory/3476-6-0x0000000001360000-0x0000000001374000-memory.dmp

Filesize
80KB

Download
memory/3824-8-0x0000000000000000-mapping.dmp

Download
memory/3824-10-0x00000000000D0000-0x00000000003CC000-memory.dmp

Filesize
3.0MB

Download
memory/3824-11-0x0000000002DB0000-0x0000000002DDE000-memory.dmp

Filesize
184KB

Download
memory/3824-12-0x0000000004720000-0x0000000004A40000-memory.dmp

Filesize
3.1MB

Download
memory/3824-13-0x0000000004620000-0x00000000046B3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads