formbook | 7a434269888c9382307a609aceba2b185542ab901cda169d761c2650c84f2f4e

General

Target

payment advise.exe
Size

1.4MB
MD5

7d752130c300fcf1d2cd1668fc29ae28
SHA1

ec52bc66ee4f080618fdc06aa994765c0adc6dee
SHA256

7a434269888c9382307a609aceba2b185542ab901cda169d761c2650c84f2f4e
SHA512

72d0a485ee362f5c1688c5dc2e6507ecaa18f574e73ef8b9e9d71b94179f361ed106e05824c43e5f3eeda8bcc9c1b8c471bd2dac94f4497388b5cf78681aa928

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aftabzahur.com/wgn/

Decoy

kokokara-life-blog.com

faswear.com

futureleadershiptoday.com

date4done.xyz

thecouponinn.com

bbeycarpetsf.com

propolisnasalspray.com

jinjudiamond.com

goodevectors.com

nehyam.com

evalinkapuppets.com

what-if-statistics.com

rateofrisk.com

impacttestonlinne.com

servis-kaydet.info

coloniacafe.com

marcemarketing.com

aarigging.com

goddesswitchery.com

jasqblo.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2012-9-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2012-10-0x000000000041EAC0-mapping.dmp	formbook
behavioral1/memory/760-17-0x00000000000C0000-0x00000000000EE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1120 cmd.exe

pid	process
1120	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

payment advise.exepayment advise.exehelp.exe

description	pid	process	target process
PID 2028 set thread context of 2012	2028	payment advise.exe	payment advise.exe
PID 2012 set thread context of 1252	2012	payment advise.exe	Explorer.EXE
PID 760 set thread context of 1252	760	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

payment advise.exepayment advise.exehelp.exe

pid	process
2028	payment advise.exe
2028	payment advise.exe
2028	payment advise.exe
2012	payment advise.exe
2012	payment advise.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe
760	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

payment advise.exehelp.exe

pid process

2012 payment advise.exe
2012 payment advise.exe
2012 payment advise.exe
760 help.exe
760 help.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

payment advise.exepayment advise.exehelp.exe

description pid process

Token: SeDebugPrivilege 2028 payment advise.exe
Token: SeDebugPrivilege 2012 payment advise.exe
Token: SeDebugPrivilege 760 help.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
1252 Explorer.EXE
1252 Explorer.EXE

pid	process
2012	payment advise.exe
2012	payment advise.exe
2012	payment advise.exe
760	help.exe
760	help.exe

description	pid	process
Token: SeDebugPrivilege	2028	payment advise.exe
Token: SeDebugPrivilege	2012	payment advise.exe
Token: SeDebugPrivilege	760	help.exe

pid	process
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

payment advise.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 2028 wrote to memory of 2012	2028	payment advise.exe	payment advise.exe
PID 1252 wrote to memory of 760	1252	Explorer.EXE	help.exe
PID 1252 wrote to memory of 760	1252	Explorer.EXE	help.exe
PID 1252 wrote to memory of 760	1252	Explorer.EXE	help.exe
PID 1252 wrote to memory of 760	1252	Explorer.EXE	help.exe
PID 760 wrote to memory of 1120	760	help.exe	cmd.exe
PID 760 wrote to memory of 1120	760	help.exe	cmd.exe
PID 760 wrote to memory of 1120	760	help.exe	cmd.exe
PID 760 wrote to memory of 1120	760	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\payment advise.exe
"C:\Users\Admin\AppData\Local\Temp\payment advise.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Users\Admin\AppData\Local\Temp\payment advise.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2012

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:760

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\payment advise.exe"
3⤵
- Deletes itself
PID:1120

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/760-20-0x0000000000550000-0x00000000005E3000-memory.dmp

Filesize
588KB

Download
memory/760-18-0x0000000000690000-0x0000000000993000-memory.dmp

Filesize
3.0MB

Download
memory/760-17-0x00000000000C0000-0x00000000000EE000-memory.dmp

Filesize
184KB

Download
memory/760-16-0x0000000000A00000-0x0000000000A06000-memory.dmp

Filesize
24KB

Download
memory/760-15-0x0000000000000000-mapping.dmp

Download
memory/1120-19-0x0000000000000000-mapping.dmp

Download
memory/1252-14-0x0000000003C40000-0x0000000003D05000-memory.dmp

Filesize
788KB

Download
memory/2012-12-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/2012-13-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2012-10-0x000000000041EAC0-mapping.dmp

Download
memory/2012-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-8-0x0000000004860000-0x00000000048BB000-memory.dmp

Filesize
364KB

Download
memory/2028-7-0x0000000000540000-0x000000000054E000-memory.dmp

Filesize
56KB

Download
memory/2028-6-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2028-5-0x00000000005C0000-0x000000000063E000-memory.dmp

Filesize
504KB

Download
memory/2028-3-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads