formbook | 93f14543437ad1857e137e828f39022daa65cad654a95be9569d53eb0d89af3c

General

Target

Additional DHL shipment Delivery Parcel.exe
Size

510KB
MD5

b2fd9aab2f1597f74abda918ddc52f89
SHA1

acdf16e4c3a8e0428f7cf1934fdcfe0731b2fc28
SHA256

b5ac8902c4d239f5f72366876e99a586d3aaafe45c9a9e098c8ded9a2db7615c
SHA512

3297c94b09f6845905f621020821c0ae05a95a0c4e96436f57460aeae5786e7be3acf1d159a0b2282636e2d765715d8d4242be80cfa549fa5d301d05baa175ff

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.webperb.com/nehc/

Decoy

havenmaple.com

katrinasmarket.com

ccharlet.com

everestmedicalgroupusa.net

powervoc.com

crypto300cluv.com

davidrichterlaw.com

parkcitysongfest.com

videogeniusawards.com

beleave.club

gooddeedprocessing.com

synthsup.com

eceiptsworld.com

infinityanalytics.co.uk

damghair.com

sabaidate.com

guitarsir.com

thebowlingspot.com

denturelabmiami.com

mo-cooking.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1588-9-0x000000000041ECB0-mapping.dmp	formbook
behavioral1/memory/1588-8-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1460-16-0x00000000001A0000-0x00000000001CE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1616 cmd.exe

pid	process
1616	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Additional DHL shipment Delivery Parcel.exeAdditional DHL shipment Delivery Parcel.execscript.exe

description	pid	process	target process
PID 1728 set thread context of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1588 set thread context of 1276	1588	Additional DHL shipment Delivery Parcel.exe	Explorer.EXE
PID 1460 set thread context of 1276	1460	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

Additional DHL shipment Delivery Parcel.exeAdditional DHL shipment Delivery Parcel.execscript.exe

pid	process
1728	Additional DHL shipment Delivery Parcel.exe
1588	Additional DHL shipment Delivery Parcel.exe
1588	Additional DHL shipment Delivery Parcel.exe
1460	cscript.exe
1460	cscript.exe
1460	cscript.exe
1460	cscript.exe
1460	cscript.exe
1460	cscript.exe
1460	cscript.exe
1460	cscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Additional DHL shipment Delivery Parcel.execscript.exe

pid	process
1588	Additional DHL shipment Delivery Parcel.exe
1588	Additional DHL shipment Delivery Parcel.exe
1588	Additional DHL shipment Delivery Parcel.exe
1460	cscript.exe
1460	cscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Additional DHL shipment Delivery Parcel.exeAdditional DHL shipment Delivery Parcel.execscript.exe

description	pid	process
Token: SeDebugPrivilege	1728	Additional DHL shipment Delivery Parcel.exe
Token: SeDebugPrivilege	1588	Additional DHL shipment Delivery Parcel.exe
Token: SeDebugPrivilege	1460	cscript.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Additional DHL shipment Delivery Parcel.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 1728 wrote to memory of 1684	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1684	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1684	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1684	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1728 wrote to memory of 1588	1728	Additional DHL shipment Delivery Parcel.exe	Additional DHL shipment Delivery Parcel.exe
PID 1276 wrote to memory of 1460	1276	Explorer.EXE	cscript.exe
PID 1276 wrote to memory of 1460	1276	Explorer.EXE	cscript.exe
PID 1276 wrote to memory of 1460	1276	Explorer.EXE	cscript.exe
PID 1276 wrote to memory of 1460	1276	Explorer.EXE	cscript.exe
PID 1460 wrote to memory of 1616	1460	cscript.exe	cmd.exe
PID 1460 wrote to memory of 1616	1460	cscript.exe	cmd.exe
PID 1460 wrote to memory of 1616	1460	cscript.exe	cmd.exe
PID 1460 wrote to memory of 1616	1460	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe
"C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe
"C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"
3⤵
PID:1684

C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe
"C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Additional DHL shipment Delivery Parcel.exe"
3⤵
- Deletes itself
PID:1616

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1276-13-0x0000000006B40000-0x0000000006CED000-memory.dmp

Filesize
1.7MB

Download
memory/1460-19-0x0000000001E50000-0x0000000001EE3000-memory.dmp

Filesize
588KB

Download
memory/1460-15-0x0000000000150000-0x0000000000172000-memory.dmp

Filesize
136KB

Download
memory/1460-17-0x0000000002080000-0x0000000002383000-memory.dmp

Filesize
3.0MB

Download
memory/1460-16-0x00000000001A0000-0x00000000001CE000-memory.dmp

Filesize
184KB

Download
memory/1460-14-0x0000000000000000-mapping.dmp

Download
memory/1588-12-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1588-11-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/1588-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1588-9-0x000000000041ECB0-mapping.dmp

Download
memory/1616-18-0x0000000000000000-mapping.dmp

Download
memory/1728-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/1728-7-0x0000000005380000-0x00000000053D4000-memory.dmp

Filesize
336KB

Download
memory/1728-6-0x0000000000340000-0x0000000000343000-memory.dmp

Filesize
12KB

Download
memory/1728-5-0x00000000043A0000-0x00000000043A1000-memory.dmp

Filesize
4KB

Download
memory/1728-3-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads