formbook | 39872cee88d7cf4d0f0cc42d09348b6fea960a62861fab210bf257c4e6bc3a36

General

Target

Details for bookings.exe
Size

999KB
MD5

a25a89b6290bd06ba2bd66ef1ff7b4d1
SHA1

5596b820a3ce13c56473185ad4f67079c4ac3f8d
SHA256

39872cee88d7cf4d0f0cc42d09348b6fea960a62861fab210bf257c4e6bc3a36
SHA512

6a88385d5d653ee01e6251b944de4da855fac18054ede73e8bdae8a30ac832d3a83b8c7ed8bd7c2cf04b855ea9d3fb9032d7560bc25f6d6947ca921b2a8d96a4

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.deuxus.com/t052/

Decoy

ladybug-learning.com

unforgottenstory.com

oldmopaiv.xyz

natashaexim.com

hannahmcelgunn.com

retargetingmachines.info

njoconline.com

unicornlankadelivery.com

giftkerala.com

englishfordoctors.online

schatzilandrvresort.com

brujoisaac.com

basiccampinggear.com

escapees.today

dgyxsy888.com

stevebana.xyz

mimozakebap.com

ezdoff.com

pluumyspalace.com

shaoshanshan.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/524-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/524-9-0x000000000041ECC0-mapping.dmp	formbook
behavioral1/memory/112-16-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

624 cmd.exe

pid	process
624	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Details for bookings.exeDetails for bookings.exewininit.exe

description	pid	process	target process
PID 1832 set thread context of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 524 set thread context of 1196	524	Details for bookings.exe	Explorer.EXE
PID 112 set thread context of 1196	112	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Details for bookings.exeDetails for bookings.exewininit.exe

pid	process
1832	Details for bookings.exe
524	Details for bookings.exe
524	Details for bookings.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe
112	wininit.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Details for bookings.exewininit.exe

pid process

524 Details for bookings.exe
524 Details for bookings.exe
524 Details for bookings.exe
112 wininit.exe
112 wininit.exe

pid	process
524	Details for bookings.exe
524	Details for bookings.exe
524	Details for bookings.exe
112	wininit.exe
112	wininit.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Details for bookings.exeDetails for bookings.exewininit.exe

description	pid	process
Token: SeDebugPrivilege	1832	Details for bookings.exe
Token: SeDebugPrivilege	524	Details for bookings.exe
Token: SeDebugPrivilege	112	wininit.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE
1196 Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Details for bookings.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1832 wrote to memory of 524	1832	Details for bookings.exe	Details for bookings.exe
PID 1196 wrote to memory of 112	1196	Explorer.EXE	wininit.exe
PID 1196 wrote to memory of 112	1196	Explorer.EXE	wininit.exe
PID 1196 wrote to memory of 112	1196	Explorer.EXE	wininit.exe
PID 1196 wrote to memory of 112	1196	Explorer.EXE	wininit.exe
PID 112 wrote to memory of 624	112	wininit.exe	cmd.exe
PID 112 wrote to memory of 624	112	wininit.exe	cmd.exe
PID 112 wrote to memory of 624	112	wininit.exe	cmd.exe
PID 112 wrote to memory of 624	112	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe
"C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe
"C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:524

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"
3⤵
- Deletes itself
PID:624

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-14-0x0000000000000000-mapping.dmp

Download
memory/112-19-0x0000000000800000-0x0000000000893000-memory.dmp

Filesize
588KB

Download
memory/112-18-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/112-16-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/112-15-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/524-12-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/524-9-0x000000000041ECC0-mapping.dmp

Download
memory/524-11-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/524-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/624-17-0x0000000000000000-mapping.dmp

Download
memory/1196-13-0x0000000004830000-0x000000000490D000-memory.dmp

Filesize
884KB

Download
memory/1832-2-0x0000000074900000-0x0000000074FEE000-memory.dmp

Filesize
6.9MB

Download
memory/1832-7-0x0000000005050000-0x00000000050B6000-memory.dmp

Filesize
408KB

Download
memory/1832-6-0x00000000002D0000-0x00000000002F3000-memory.dmp

Filesize
140KB

Download
memory/1832-5-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/1832-3-0x0000000000FD0000-0x0000000000FD1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads