formbook | 9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f

General

Target

W21_0191,pdf.exe
Size

1.0MB
MD5

2b71bd4f414944163720bffe66296f21
SHA1

7c86106022e7b4150d0ba2709f4df368c4b8bc15
SHA256

9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
SHA512

8eeb0bbcefd0109a82c806d7740a8fe4b6f811a352d20772362302ba2ed615351a0bb3df18f1cd8d5ae28cc1ff7e3bd19333d546b4e4e0faf194ee068b905a7b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.radissonhotelsusa.com/cp5/

Decoy

glcpunix.com

marabierta-coaching.com

osrs-remastered.com

lineagehealthxwellness.com

dunyadagezilecekyerler.com

negociosyfinanzasfaciles.com

bifa510.com

houseofutamasa.com

dopeneeds.com

sailacc.com

thewindgallery.com

elvinrisky.com

flowersassistedliving.com

lzbnwy.com

mrpentester.com

joinmytradingteam.com

jasabuatvisa.com

meherunnessa-foundation.com

notyourtypicaljocks.com

lobo-sports.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1476-10-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1476-11-0x000000000041EBF0-mapping.dmp	formbook
behavioral1/memory/1348-20-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

748 cmd.exe

pid	process
748	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

W21_0191,pdf.exeW21_0191,pdf.exeraserver.exe

description	pid	process	target process
PID 292 set thread context of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 1476 set thread context of 1268	1476	W21_0191,pdf.exe	Explorer.EXE
PID 1348 set thread context of 1268	1348	raserver.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1696 schtasks.exe

pid	process
1696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

W21_0191,pdf.exeW21_0191,pdf.exeraserver.exe

pid	process
292	W21_0191,pdf.exe
1476	W21_0191,pdf.exe
1476	W21_0191,pdf.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe
1348	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

W21_0191,pdf.exeraserver.exe

pid process

1476 W21_0191,pdf.exe
1476 W21_0191,pdf.exe
1476 W21_0191,pdf.exe
1348 raserver.exe
1348 raserver.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

W21_0191,pdf.exeW21_0191,pdf.exeraserver.exe

description pid process

Token: SeDebugPrivilege 292 W21_0191,pdf.exe
Token: SeDebugPrivilege 1476 W21_0191,pdf.exe
Token: SeDebugPrivilege 1348 raserver.exe

pid	process
1476	W21_0191,pdf.exe
1476	W21_0191,pdf.exe
1476	W21_0191,pdf.exe
1348	raserver.exe
1348	raserver.exe

description	pid	process
Token: SeDebugPrivilege	292	W21_0191,pdf.exe
Token: SeDebugPrivilege	1476	W21_0191,pdf.exe
Token: SeDebugPrivilege	1348	raserver.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

W21_0191,pdf.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 292 wrote to memory of 1696	292	W21_0191,pdf.exe	schtasks.exe
PID 292 wrote to memory of 1696	292	W21_0191,pdf.exe	schtasks.exe
PID 292 wrote to memory of 1696	292	W21_0191,pdf.exe	schtasks.exe
PID 292 wrote to memory of 1696	292	W21_0191,pdf.exe	schtasks.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 292 wrote to memory of 1476	292	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	raserver.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	raserver.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	raserver.exe
PID 1268 wrote to memory of 1348	1268	Explorer.EXE	raserver.exe
PID 1348 wrote to memory of 748	1348	raserver.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	raserver.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	raserver.exe	cmd.exe
PID 1348 wrote to memory of 748	1348	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:292

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ErUoKVSz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp146B.tmp"
3⤵
- Creates scheduled task(s)
PID:1696

C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1348

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"
3⤵
- Deletes itself
PID:748

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp146B.tmp
MD5
f842d5df58102070a80760827c8c095c

SHA1
3b95c81015bb4c737af4bd5d6d62ab80b0b07659

SHA256
739ba2f1b0a83a80e3a73291187e770a7c69751836a4aa5e61291fbe31ed3adc

SHA512
f103278be48736f014251d359ec28f67031246225772f63379573ebc44825ca42eb83926ff922d7b845e7e93c43872cc83fc630b11f859cdc126e9f09364014b

Download Submit
memory/292-3-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/292-5-0x00000000004C0000-0x00000000004E3000-memory.dmp

Filesize
140KB

Download
memory/292-6-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/292-7-0x00000000022E0000-0x0000000002346000-memory.dmp

Filesize
408KB

Download
memory/292-2-0x00000000748A0000-0x0000000074F8E000-memory.dmp

Filesize
6.9MB

Download
memory/748-18-0x0000000000000000-mapping.dmp

Download
memory/1268-15-0x0000000007310000-0x000000000749B000-memory.dmp

Filesize
1.5MB

Download
memory/1348-16-0x0000000000000000-mapping.dmp

Download
memory/1348-17-0x0000000076861000-0x0000000076863000-memory.dmp

Filesize
8KB

Download
memory/1348-19-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/1348-21-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/1348-20-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1348-22-0x0000000001EC0000-0x0000000001F53000-memory.dmp

Filesize
588KB

Download
memory/1476-13-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1476-14-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1476-11-0x000000000041EBF0-mapping.dmp

Download
memory/1476-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1696-8-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads