formbook | 9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f

General

Target

W21_0191,pdf.exe
Size

1.0MB
MD5

2b71bd4f414944163720bffe66296f21
SHA1

7c86106022e7b4150d0ba2709f4df368c4b8bc15
SHA256

9bf3bb9e44490d5836c31036a78c59c92a51d8f6bfb33363d8c617d27967ff3f
SHA512

8eeb0bbcefd0109a82c806d7740a8fe4b6f811a352d20772362302ba2ed615351a0bb3df18f1cd8d5ae28cc1ff7e3bd19333d546b4e4e0faf194ee068b905a7b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.radissonhotelsusa.com/cp5/

Decoy

glcpunix.com

marabierta-coaching.com

osrs-remastered.com

lineagehealthxwellness.com

dunyadagezilecekyerler.com

negociosyfinanzasfaciles.com

bifa510.com

houseofutamasa.com

dopeneeds.com

sailacc.com

thewindgallery.com

elvinrisky.com

flowersassistedliving.com

lzbnwy.com

mrpentester.com

joinmytradingteam.com

jasabuatvisa.com

meherunnessa-foundation.com

notyourtypicaljocks.com

lobo-sports.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3600-15-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3600-16-0x000000000041EBF0-mapping.dmp	formbook
behavioral2/memory/732-24-0x0000000000A00000-0x0000000000A2E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

W21_0191,pdf.exeW21_0191,pdf.exenetsh.exe

description	pid	process	target process
PID 880 set thread context of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 3600 set thread context of 2868	3600	W21_0191,pdf.exe	Explorer.EXE
PID 732 set thread context of 2868	732	netsh.exe	Explorer.EXE

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

3056 schtasks.exe

pid	process
3056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

Processes:

W21_0191,pdf.exeW21_0191,pdf.exenetsh.exe

pid	process
880	W21_0191,pdf.exe
3600	W21_0191,pdf.exe
3600	W21_0191,pdf.exe
3600	W21_0191,pdf.exe
3600	W21_0191,pdf.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe
732	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

W21_0191,pdf.exenetsh.exe

pid process

3600 W21_0191,pdf.exe
3600 W21_0191,pdf.exe
3600 W21_0191,pdf.exe
732 netsh.exe
732 netsh.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

W21_0191,pdf.exeW21_0191,pdf.exenetsh.exe

description pid process

Token: SeDebugPrivilege 880 W21_0191,pdf.exe
Token: SeDebugPrivilege 3600 W21_0191,pdf.exe
Token: SeDebugPrivilege 732 netsh.exe

pid	process
3600	W21_0191,pdf.exe
3600	W21_0191,pdf.exe
3600	W21_0191,pdf.exe
732	netsh.exe
732	netsh.exe

description	pid	process
Token: SeDebugPrivilege	880	W21_0191,pdf.exe
Token: SeDebugPrivilege	3600	W21_0191,pdf.exe
Token: SeDebugPrivilege	732	netsh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

W21_0191,pdf.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 880 wrote to memory of 3056	880	W21_0191,pdf.exe	schtasks.exe
PID 880 wrote to memory of 3056	880	W21_0191,pdf.exe	schtasks.exe
PID 880 wrote to memory of 3056	880	W21_0191,pdf.exe	schtasks.exe
PID 880 wrote to memory of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 880 wrote to memory of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 880 wrote to memory of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 880 wrote to memory of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 880 wrote to memory of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 880 wrote to memory of 3600	880	W21_0191,pdf.exe	W21_0191,pdf.exe
PID 2868 wrote to memory of 732	2868	Explorer.EXE	netsh.exe
PID 2868 wrote to memory of 732	2868	Explorer.EXE	netsh.exe
PID 2868 wrote to memory of 732	2868	Explorer.EXE	netsh.exe
PID 732 wrote to memory of 1240	732	netsh.exe	cmd.exe
PID 732 wrote to memory of 1240	732	netsh.exe	cmd.exe
PID 732 wrote to memory of 1240	732	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:880

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ErUoKVSz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp99B0.tmp"
3⤵
- Creates scheduled task(s)
PID:3056

C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe
"C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3600

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:732

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\W21_0191,pdf.exe"
3⤵
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp99B0.tmp
MD5
be39af2a2f092e75e4f1113c22e98426

SHA1
58893785a3c3093a4a3806b06a521c80925c9441

SHA256
43cb05a1d2e43e0e95a9f2f2e133772d023abef7c7f4a68353aaa26e3cdc610a

SHA512
6840b0fd633f815711bf3970bc953d27b6e3219cdb2ba18238f6abb1609c91ba7573bacd6deb4cff993a7b2e463e70133a80e880dfcb92c1ed56a3a32d4ff586

Download Submit
memory/732-27-0x0000000001260000-0x00000000012F3000-memory.dmp

Filesize
588KB

Download
memory/732-26-0x0000000001380000-0x00000000016A0000-memory.dmp

Filesize
3.1MB

Download
memory/732-23-0x00000000017F0000-0x000000000180E000-memory.dmp

Filesize
120KB

Download
memory/732-24-0x0000000000A00000-0x0000000000A2E000-memory.dmp

Filesize
184KB

Download
memory/732-22-0x0000000000000000-mapping.dmp

Download
memory/880-9-0x0000000004960000-0x0000000004961000-memory.dmp

Filesize
4KB

Download
memory/880-6-0x0000000004F80000-0x0000000004F81000-memory.dmp

Filesize
4KB

Download
memory/880-11-0x00000000049A0000-0x00000000049C3000-memory.dmp

Filesize
140KB

Download
memory/880-12-0x0000000005840000-0x00000000058A6000-memory.dmp

Filesize
408KB

Download
memory/880-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/880-2-0x0000000073460000-0x0000000073B4E000-memory.dmp

Filesize
6.9MB

Download
memory/880-5-0x00000000049E0000-0x00000000049E1000-memory.dmp

Filesize
4KB

Download
memory/880-10-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/880-7-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/880-8-0x0000000004CB0000-0x0000000004CB1000-memory.dmp

Filesize
4KB

Download
memory/1240-25-0x0000000000000000-mapping.dmp

Download
memory/2868-21-0x0000000005FA0000-0x00000000060E1000-memory.dmp

Filesize
1.3MB

Download
memory/2868-28-0x0000000006220000-0x0000000006397000-memory.dmp

Filesize
1.5MB

Download
memory/3056-13-0x0000000000000000-mapping.dmp

Download
memory/3600-20-0x0000000001640000-0x0000000001654000-memory.dmp

Filesize
80KB

Download
memory/3600-19-0x0000000001AA0000-0x0000000001DC0000-memory.dmp

Filesize
3.1MB

Download
memory/3600-16-0x000000000041EBF0-mapping.dmp

Download
memory/3600-15-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads