formbook | 1df6109d033a42d97b34133e69afc0da679586b85b6614b034ebfd9343062d20

General

Target

Request for Quotation.exe
Size

500KB
MD5

1d9fd84bc6eaa80b160bd313750f6ff5
SHA1

011e1975d6cb6a567ad3fed83d59310728bd9227
SHA256

1df6109d033a42d97b34133e69afc0da679586b85b6614b034ebfd9343062d20
SHA512

d66d0a83284f6f21e711c3d62bcd280042d6a50125dc410b4c79d6f6dba7be5b6bd628fb21e6491b2bb291770f6d1c3951257e948dcbbb587e397fc75296a8da

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.fptableau.com/u3q/

Decoy

wingenomics.com

malwaredeepdive.com

uvdxkup.icu

safeweb-url624.com

lighthousetan.com

liumeilin.com

thaiexpressnyc.com

primedperspective.com

georgekwalker.com

purelife-gt.com

theboseproject.com

moralalaska.icu

anthonysoflittleitaly.com

talahadavi.com

waterbrooksacademy.com

aluneaproaieauayauwpalaua.com

mytshirtforlife.com

penerbitlayung.com

chainslugs.com

bhbgsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral2/memory/3584-6-0x00000000052A0000-0x00000000052FE000-memory.dmp	beds_protector

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/740-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/740-12-0x000000000041EB70-mapping.dmp	formbook
behavioral2/memory/2992-20-0x0000000000950000-0x000000000097E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Request for Quotation.exeRequest for Quotation.exeNETSTAT.EXE

description	pid	process	target process
PID 3584 set thread context of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 740 set thread context of 3000	740	Request for Quotation.exe	Explorer.EXE
PID 2992 set thread context of 3000	2992	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2992 NETSTAT.EXE

pid	process
2992	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

Request for Quotation.exeNETSTAT.EXE

pid	process
740	Request for Quotation.exe
740	Request for Quotation.exe
740	Request for Quotation.exe
740	Request for Quotation.exe
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE
2992	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Request for Quotation.exeNETSTAT.EXE

pid process

740 Request for Quotation.exe
740 Request for Quotation.exe
740 Request for Quotation.exe
2992 NETSTAT.EXE
2992 NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

Request for Quotation.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	740	Request for Quotation.exe
Token: SeDebugPrivilege	2992	NETSTAT.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE
Token: SeShutdownPrivilege	3000	Explorer.EXE
Token: SeCreatePagefilePrivilege	3000	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE

pid	process
3000	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Request for Quotation.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3584 wrote to memory of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 3584 wrote to memory of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 3584 wrote to memory of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 3584 wrote to memory of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 3584 wrote to memory of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 3584 wrote to memory of 740	3584	Request for Quotation.exe	Request for Quotation.exe
PID 3000 wrote to memory of 2992	3000	Explorer.EXE	NETSTAT.EXE
PID 3000 wrote to memory of 2992	3000	Explorer.EXE	NETSTAT.EXE
PID 3000 wrote to memory of 2992	3000	Explorer.EXE	NETSTAT.EXE
PID 2992 wrote to memory of 204	2992	NETSTAT.EXE	cmd.exe
PID 2992 wrote to memory of 204	2992	NETSTAT.EXE	cmd.exe
PID 2992 wrote to memory of 204	2992	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3584

C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:740

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2992

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation.exe"
3⤵
PID:204

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/204-18-0x0000000000000000-mapping.dmp

Download
memory/740-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/740-14-0x0000000001800000-0x0000000001B20000-memory.dmp

Filesize
3.1MB

Download
memory/740-15-0x0000000001360000-0x0000000001374000-memory.dmp

Filesize
80KB

Download
memory/740-12-0x000000000041EB70-mapping.dmp

Download
memory/2992-19-0x0000000000FB0000-0x0000000000FBB000-memory.dmp

Filesize
44KB

Download
memory/2992-17-0x0000000000000000-mapping.dmp

Download
memory/2992-22-0x0000000000D40000-0x0000000000DD3000-memory.dmp

Filesize
588KB

Download
memory/2992-21-0x0000000002FC0000-0x00000000032E0000-memory.dmp

Filesize
3.1MB

Download
memory/2992-20-0x0000000000950000-0x000000000097E000-memory.dmp

Filesize
184KB

Download
memory/3000-23-0x0000000006660000-0x00000000067A0000-memory.dmp

Filesize
1.2MB

Download
memory/3000-16-0x00000000031E0000-0x00000000032D5000-memory.dmp

Filesize
980KB

Download
memory/3584-5-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/3584-9-0x0000000005540000-0x0000000005541000-memory.dmp

Filesize
4KB

Download
memory/3584-3-0x0000000000A60000-0x0000000000A61000-memory.dmp

Filesize
4KB

Download
memory/3584-2-0x0000000073900000-0x0000000073FEE000-memory.dmp

Filesize
6.9MB

Download
memory/3584-6-0x00000000052A0000-0x00000000052FE000-memory.dmp

Filesize
376KB

Download
memory/3584-7-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/3584-8-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/3584-10-0x0000000005390000-0x000000000539F000-memory.dmp

Filesize
60KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads