formbook | 69a395d24a3536ef7698ae036596bed55856d4777356946f498faec3f1395f8d

General

Target

PO#560.zip.exe
Size

913KB
MD5

225f5938273f006356fd813e46e3fcef
SHA1

347cd34fd095ae8f843ee436dde5043bba8fb192
SHA256

69a395d24a3536ef7698ae036596bed55856d4777356946f498faec3f1395f8d
SHA512

a6b9d13ea56e7e22abb484de6c4d5b53b7dc645e23327c9b45d20ce872408d3a9c9c93bdf540e39dd3c4a0206f7fc5008edff5787fad1b2674ebe3e060bbfb9c

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.talllensphotography.com/md5/

Decoy

gnd3.com

thedrata.com

carbeloy.com

impactpittsburg.com

sussage.com

mikespencil.com

ghoshtechno.com

partnermassagetherapy.com

nagago.asia

parkviee.com

kichisanpo.com

awbaviation.com

shopvibeup.com

ab-alamode.com

cash4homesutah.com

funbrushstrokes.com

adeleycar.com

actsbooking.com

rojorodi.icu

fleurdelyscantho.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2940-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2940-14-0x000000000041EBA0-mapping.dmp	formbook
behavioral2/memory/3464-21-0x0000000002C70000-0x0000000002C9E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO#560.zip.exePO#560.zip.exerundll32.exe

description	pid	process	target process
PID 652 set thread context of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 2940 set thread context of 3028	2940	PO#560.zip.exe	Explorer.EXE
PID 3464 set thread context of 3028	3464	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

PO#560.zip.exePO#560.zip.exerundll32.exe

pid	process
652	PO#560.zip.exe
2940	PO#560.zip.exe
2940	PO#560.zip.exe
2940	PO#560.zip.exe
2940	PO#560.zip.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe
3464	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO#560.zip.exerundll32.exe

pid process

2940 PO#560.zip.exe
2940 PO#560.zip.exe
2940 PO#560.zip.exe
3464 rundll32.exe
3464 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PO#560.zip.exePO#560.zip.exerundll32.exe

description pid process

Token: SeDebugPrivilege 652 PO#560.zip.exe
Token: SeDebugPrivilege 2940 PO#560.zip.exe
Token: SeDebugPrivilege 3464 rundll32.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE

pid	process
2940	PO#560.zip.exe
2940	PO#560.zip.exe
2940	PO#560.zip.exe
3464	rundll32.exe
3464	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	652	PO#560.zip.exe
Token: SeDebugPrivilege	2940	PO#560.zip.exe
Token: SeDebugPrivilege	3464	rundll32.exe

pid	process
3028	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO#560.zip.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 652 wrote to memory of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 652 wrote to memory of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 652 wrote to memory of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 652 wrote to memory of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 652 wrote to memory of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 652 wrote to memory of 2940	652	PO#560.zip.exe	PO#560.zip.exe
PID 3028 wrote to memory of 3464	3028	Explorer.EXE	rundll32.exe
PID 3028 wrote to memory of 3464	3028	Explorer.EXE	rundll32.exe
PID 3028 wrote to memory of 3464	3028	Explorer.EXE	rundll32.exe
PID 3464 wrote to memory of 1300	3464	rundll32.exe	cmd.exe
PID 3464 wrote to memory of 1300	3464	rundll32.exe	cmd.exe
PID 3464 wrote to memory of 1300	3464	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe
"C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:652

C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2940

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe"
3⤵
PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-3-0x0000000000530000-0x0000000000531000-memory.dmp

Filesize
4KB

Download
memory/652-5-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/652-6-0x0000000004F10000-0x0000000004F11000-memory.dmp

Filesize
4KB

Download
memory/652-7-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/652-8-0x0000000004FC0000-0x0000000004FC1000-memory.dmp

Filesize
4KB

Download
memory/652-9-0x0000000007430000-0x0000000007431000-memory.dmp

Filesize
4KB

Download
memory/652-10-0x0000000005400000-0x0000000005405000-memory.dmp

Filesize
20KB

Download
memory/652-11-0x0000000008760000-0x0000000008811000-memory.dmp

Filesize
708KB

Download
memory/652-12-0x0000000006C30000-0x0000000006C97000-memory.dmp

Filesize
412KB

Download
memory/652-2-0x0000000073DC0000-0x00000000744AE000-memory.dmp

Filesize
6.9MB

Download
memory/1300-22-0x0000000000000000-mapping.dmp

Download
memory/2940-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2940-17-0x00000000015B0000-0x00000000015C4000-memory.dmp

Filesize
80KB

Download
memory/2940-16-0x0000000001670000-0x0000000001990000-memory.dmp

Filesize
3.1MB

Download
memory/2940-14-0x000000000041EBA0-mapping.dmp

Download
memory/3028-18-0x0000000005F00000-0x0000000006099000-memory.dmp

Filesize
1.6MB

Download
memory/3028-25-0x0000000006600000-0x000000000674F000-memory.dmp

Filesize
1.3MB

Download
memory/3464-19-0x0000000000000000-mapping.dmp

Download
memory/3464-20-0x0000000000970000-0x0000000000983000-memory.dmp

Filesize
76KB

Download
memory/3464-21-0x0000000002C70000-0x0000000002C9E000-memory.dmp

Filesize
184KB

Download
memory/3464-23-0x0000000004AC0000-0x0000000004DE0000-memory.dmp

Filesize
3.1MB

Download
memory/3464-24-0x0000000004A20000-0x0000000004AB3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads