formbook | 39872cee88d7cf4d0f0cc42d09348b6fea960a62861fab210bf257c4e6bc3a36

General

Target

Details for bookings.exe
Size

999KB
MD5

a25a89b6290bd06ba2bd66ef1ff7b4d1
SHA1

5596b820a3ce13c56473185ad4f67079c4ac3f8d
SHA256

39872cee88d7cf4d0f0cc42d09348b6fea960a62861fab210bf257c4e6bc3a36
SHA512

6a88385d5d653ee01e6251b944de4da855fac18054ede73e8bdae8a30ac832d3a83b8c7ed8bd7c2cf04b855ea9d3fb9032d7560bc25f6d6947ca921b2a8d96a4

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.deuxus.com/t052/

Decoy

ladybug-learning.com

unforgottenstory.com

oldmopaiv.xyz

natashaexim.com

hannahmcelgunn.com

retargetingmachines.info

njoconline.com

unicornlankadelivery.com

giftkerala.com

englishfordoctors.online

schatzilandrvresort.com

brujoisaac.com

basiccampinggear.com

escapees.today

dgyxsy888.com

stevebana.xyz

mimozakebap.com

ezdoff.com

pluumyspalace.com

shaoshanshan.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/528-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/528-14-0x000000000041ECC0-mapping.dmp	formbook
behavioral2/memory/1012-21-0x00000000009A0000-0x00000000009CE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Details for bookings.exeDetails for bookings.exerundll32.exe

description	pid	process	target process
PID 4776 set thread context of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 528 set thread context of 3012	528	Details for bookings.exe	Explorer.EXE
PID 1012 set thread context of 3012	1012	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 41 IoCs

Processes:

Details for bookings.exeDetails for bookings.exerundll32.exe

pid	process
4776	Details for bookings.exe
528	Details for bookings.exe
528	Details for bookings.exe
528	Details for bookings.exe
528	Details for bookings.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe
1012	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Details for bookings.exerundll32.exe

pid process

528 Details for bookings.exe
528 Details for bookings.exe
528 Details for bookings.exe
1012 rundll32.exe
1012 rundll32.exe

pid	process
528	Details for bookings.exe
528	Details for bookings.exe
528	Details for bookings.exe
1012	rundll32.exe
1012	rundll32.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Details for bookings.exeDetails for bookings.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	4776	Details for bookings.exe
Token: SeDebugPrivilege	528	Details for bookings.exe
Token: SeShutdownPrivilege	3012	Explorer.EXE
Token: SeCreatePagefilePrivilege	3012	Explorer.EXE
Token: SeDebugPrivilege	1012	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Details for bookings.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4776 wrote to memory of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 4776 wrote to memory of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 4776 wrote to memory of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 4776 wrote to memory of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 4776 wrote to memory of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 4776 wrote to memory of 528	4776	Details for bookings.exe	Details for bookings.exe
PID 3012 wrote to memory of 1012	3012	Explorer.EXE	rundll32.exe
PID 3012 wrote to memory of 1012	3012	Explorer.EXE	rundll32.exe
PID 3012 wrote to memory of 1012	3012	Explorer.EXE	rundll32.exe
PID 1012 wrote to memory of 1080	1012	rundll32.exe	cmd.exe
PID 1012 wrote to memory of 1080	1012	rundll32.exe	cmd.exe
PID 1012 wrote to memory of 1080	1012	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012

C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe
"C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4776

C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe
"C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:528

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:832

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:876

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:932

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1008

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Details for bookings.exe"
3⤵
PID:1080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/528-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/528-17-0x0000000001C70000-0x0000000001C84000-memory.dmp

Filesize
80KB

Download
memory/528-16-0x0000000001950000-0x0000000001C70000-memory.dmp

Filesize
3.1MB

Download
memory/528-14-0x000000000041ECC0-mapping.dmp

Download
memory/1012-19-0x0000000000000000-mapping.dmp

Download
memory/1012-24-0x0000000004DB0000-0x0000000004E43000-memory.dmp

Filesize
588KB

Download
memory/1012-23-0x0000000004A90000-0x0000000004DB0000-memory.dmp

Filesize
3.1MB

Download
memory/1012-21-0x00000000009A0000-0x00000000009CE000-memory.dmp

Filesize
184KB

Download
memory/1012-20-0x0000000000CD0000-0x0000000000CE3000-memory.dmp

Filesize
76KB

Download
memory/1080-22-0x0000000000000000-mapping.dmp

Download
memory/3012-18-0x00000000058F0000-0x0000000005A25000-memory.dmp

Filesize
1.2MB

Download
memory/3012-25-0x00000000057D0000-0x00000000058DB000-memory.dmp

Filesize
1.0MB

Download
memory/4776-12-0x00000000060C0000-0x0000000006126000-memory.dmp

Filesize
408KB

Download
memory/4776-3-0x0000000000B00000-0x0000000000B01000-memory.dmp

Filesize
4KB

Download
memory/4776-5-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4776-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4776-6-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/4776-7-0x0000000005550000-0x0000000005551000-memory.dmp

Filesize
4KB

Download
memory/4776-8-0x0000000005610000-0x0000000005611000-memory.dmp

Filesize
4KB

Download
memory/4776-11-0x0000000005730000-0x0000000005731000-memory.dmp

Filesize
4KB

Download
memory/4776-10-0x0000000005650000-0x0000000005673000-memory.dmp

Filesize
140KB

Download
memory/4776-9-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads