formbook | ca035ce2804aff96e07142ecb344766e2fca568af3b5b01f60d7886225d7cd49

General

Target

insz.exe
Size

209KB
MD5

394f9f303f2a0039f204a23c0a5ad1a7
SHA1

a84f6b731446c79f491292a46133087825cdc0ca
SHA256

ca035ce2804aff96e07142ecb344766e2fca568af3b5b01f60d7886225d7cd49
SHA512

ca16a81380c60f0e705e089bfaed815b0a050b4bbadbea1a54332f816a4cfb5535d86f86c93a865d84747e7a32c73193658b6ea5ec72d44cf915b519f6f9af21

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.nationshiphop.com/hko6/

Decoy

apartmentsineverettwa.com

forritcu.net

hotroodes.com

skinnerttc.com

royaltrustmyanmar.com

adreslog.com

kaysbridalboutiques.com

multitask-improvements.com

geniiforum.com

smarthomehatinh.asia

banglikeaboss.com

javlover.club

affiliateclubindia.com

mycapecoralhomevalue.com

comparamuebles.online

newrochellenissan.com

nairobi-paris.com

fwk.xyz

downdepot.com

nextgenmemorabilia.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2456-3-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3204-10-0x0000000000FA0000-0x0000000000FCE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

insz.exeinsz.exehelp.exe

description	pid	process	target process
PID 4032 set thread context of 2456	4032	insz.exe	insz.exe
PID 2456 set thread context of 2828	2456	insz.exe	Explorer.EXE
PID 3204 set thread context of 2828	3204	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

insz.exehelp.exe

pid	process
2456	insz.exe
2456	insz.exe
2456	insz.exe
2456	insz.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe
3204	help.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

insz.exeinsz.exehelp.exe

pid process

4032 insz.exe
2456 insz.exe
2456 insz.exe
2456 insz.exe
3204 help.exe
3204 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

insz.exehelp.exe

description pid process

Token: SeDebugPrivilege 2456 insz.exe
Token: SeDebugPrivilege 3204 help.exe

pid	process
4032	insz.exe
2456	insz.exe
2456	insz.exe
2456	insz.exe
3204	help.exe
3204	help.exe

description	pid	process
Token: SeDebugPrivilege	2456	insz.exe
Token: SeDebugPrivilege	3204	help.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

insz.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 4032 wrote to memory of 2456	4032	insz.exe	insz.exe
PID 4032 wrote to memory of 2456	4032	insz.exe	insz.exe
PID 4032 wrote to memory of 2456	4032	insz.exe	insz.exe
PID 4032 wrote to memory of 2456	4032	insz.exe	insz.exe
PID 2828 wrote to memory of 3204	2828	Explorer.EXE	help.exe
PID 2828 wrote to memory of 3204	2828	Explorer.EXE	help.exe
PID 2828 wrote to memory of 3204	2828	Explorer.EXE	help.exe
PID 3204 wrote to memory of 1928	3204	help.exe	cmd.exe
PID 3204 wrote to memory of 1928	3204	help.exe	cmd.exe
PID 3204 wrote to memory of 1928	3204	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\insz.exe
"C:\Users\Admin\AppData\Local\Temp\insz.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4032

C:\Users\Admin\AppData\Local\Temp\insz.exe
"C:\Users\Admin\AppData\Local\Temp\insz.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2456

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\insz.exe"
3⤵
PID:1928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1928-8-0x0000000000000000-mapping.dmp

Download
memory/2456-2-0x000000000041ECF0-mapping.dmp

Download
memory/2456-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2456-4-0x0000000001310000-0x0000000001630000-memory.dmp

Filesize
3.1MB

Download
memory/2456-5-0x0000000001010000-0x0000000001024000-memory.dmp

Filesize
80KB

Download
memory/2828-6-0x00000000058B0000-0x00000000059CC000-memory.dmp

Filesize
1.1MB

Download
memory/2828-14-0x0000000003290000-0x0000000003353000-memory.dmp

Filesize
780KB

Download
memory/3204-7-0x0000000000000000-mapping.dmp

Download
memory/3204-9-0x00000000010F0000-0x00000000010F7000-memory.dmp

Filesize
28KB

Download
memory/3204-10-0x0000000000FA0000-0x0000000000FCE000-memory.dmp

Filesize
184KB

Download
memory/3204-11-0x0000000003AD0000-0x0000000003DF0000-memory.dmp

Filesize
3.1MB

Download
memory/3204-13-0x00000000035E0000-0x0000000003673000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads