formbook | 844727f01eed9313452abb10cbc86485bdd0f2ba46d3e5fe7e3b87bd1c8a0e60

General

Target

CONT NO DFSU125310 products list.exe
Size

1.0MB
MD5

5a92c96663ac34dd87d73e789c27f610
SHA1

46e21943df04f53eb175007c4bff3040619ae50b
SHA256

9f38ade8e53d28eef33a81e0559b92b44fa878ae9b61fadd3bb245d33486e2c0
SHA512

1bfb7176c5e9eeb2103a36760137fbe773d8b3170842e8e1e92a3b4629b140f93b4804a0198732a71924e0f4514325575310986e8b41805f860f844d01f1ca8a

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.discorddeno.land/suod/

Decoy

casirivimab.info

johnvogia.com

lzdafang.com

tarihmarketi.com

singalongpress.com

three60farms.com

websky.pro

jacketsmecca.com

magentos6.com

brooksideseniorapts.com

onewhistleandflags.com

naturopathe-valdoise-france.com

reflexmem.com

kurumsalpanel.com

bhuwarecruitment.com

exponentialhealth.online

posttensionrepairs.com

prbrokerllc.com

aashealthcarestaffing.com

pubgeventcenter.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1500-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1500-9-0x000000000041ED90-mapping.dmp	formbook
behavioral1/memory/476-18-0x0000000000100000-0x000000000012E000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1304 cmd.exe

pid	process
1304	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

CONT NO DFSU125310 products list.exeCONT NO DFSU125310 products list.exemstsc.exe

description	pid	process	target process
PID 1108 set thread context of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1500 set thread context of 1264	1500	CONT NO DFSU125310 products list.exe	Explorer.EXE
PID 476 set thread context of 1264	476	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

CONT NO DFSU125310 products list.exemstsc.exe

pid	process
1500	CONT NO DFSU125310 products list.exe
1500	CONT NO DFSU125310 products list.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe
476	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

CONT NO DFSU125310 products list.exemstsc.exe

pid	process
1500	CONT NO DFSU125310 products list.exe
1500	CONT NO DFSU125310 products list.exe
1500	CONT NO DFSU125310 products list.exe
476	mstsc.exe
476	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

CONT NO DFSU125310 products list.exemstsc.exe

description pid process

Token: SeDebugPrivilege 1500 CONT NO DFSU125310 products list.exe
Token: SeDebugPrivilege 476 mstsc.exe

description	pid	process
Token: SeDebugPrivilege	1500	CONT NO DFSU125310 products list.exe
Token: SeDebugPrivilege	476	mstsc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

CONT NO DFSU125310 products list.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1108 wrote to memory of 1500	1108	CONT NO DFSU125310 products list.exe	CONT NO DFSU125310 products list.exe
PID 1264 wrote to memory of 476	1264	Explorer.EXE	mstsc.exe
PID 1264 wrote to memory of 476	1264	Explorer.EXE	mstsc.exe
PID 1264 wrote to memory of 476	1264	Explorer.EXE	mstsc.exe
PID 1264 wrote to memory of 476	1264	Explorer.EXE	mstsc.exe
PID 476 wrote to memory of 1304	476	mstsc.exe	cmd.exe
PID 476 wrote to memory of 1304	476	mstsc.exe	cmd.exe
PID 476 wrote to memory of 1304	476	mstsc.exe	cmd.exe
PID 476 wrote to memory of 1304	476	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe
  "C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1108
- - C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe
    "C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1500
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:476
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe"
    3⤵
    - Deletes itself
    PID:1304

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/476-20-0x00000000023C0000-0x0000000002453000-memory.dmp

Filesize
588KB

Download
memory/476-19-0x0000000002010000-0x0000000002313000-memory.dmp

Filesize
3.0MB

Download
memory/476-18-0x0000000000100000-0x000000000012E000-memory.dmp

Filesize
184KB

Download
memory/476-17-0x0000000000830000-0x0000000000934000-memory.dmp

Filesize
1.0MB

Download
memory/476-14-0x0000000000000000-mapping.dmp

Download
memory/476-15-0x00000000760D1000-0x00000000760D3000-memory.dmp

Filesize
8KB

Download
memory/1108-2-0x0000000073E00000-0x00000000744EE000-memory.dmp

Filesize
6.9MB

Download
memory/1108-3-0x0000000000AA0000-0x0000000000AA1000-memory.dmp

Filesize
4KB

Download
memory/1108-5-0x0000000000560000-0x0000000000563000-memory.dmp

Filesize
12KB

Download
memory/1108-6-0x00000000020E0000-0x00000000020E1000-memory.dmp

Filesize
4KB

Download
memory/1108-7-0x0000000004D20000-0x0000000004D74000-memory.dmp

Filesize
336KB

Download
memory/1264-13-0x0000000006880000-0x00000000069AD000-memory.dmp

Filesize
1.2MB

Download
memory/1304-16-0x0000000000000000-mapping.dmp

Download
memory/1500-11-0x0000000000D40000-0x0000000001043000-memory.dmp

Filesize
3.0MB

Download
memory/1500-12-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/1500-9-0x000000000041ED90-mapping.dmp

Download
memory/1500-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads