formbook | dd2e58b3398ea6d274ba7f993a66cd67fbb2654f73012763f50b309c8b56df38

General

Target

LPO PRECISION MESHES 2352104321QQ.pdf.exe
Size

926KB
MD5

23420e3ded198412f33ffa460e601764
SHA1

326f1bb9ea091b0e8d58852512ee08bed517c64b
SHA256

dd2e58b3398ea6d274ba7f993a66cd67fbb2654f73012763f50b309c8b56df38
SHA512

d7d4ba9b58142d75eba44533d0218eb179d4b9492f2c49ab8a5bad23e96330766cf59ed4394fb7f59d1f20385adb0e949015406f40f4677ef06f5d882a59668b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-65-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/268-66-0x000000000041EBA0-mapping.dmp	formbook
behavioral1/memory/1192-77-0x0000000000090000-0x00000000000BE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

852 cmd.exe

pid	process
852	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

LPO PRECISION MESHES 2352104321QQ.pdf.exeLPO PRECISION MESHES 2352104321QQ.pdf.exemsiexec.exe

description	pid	process	target process
PID 452 set thread context of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 268 set thread context of 1356	268	LPO PRECISION MESHES 2352104321QQ.pdf.exe	Explorer.EXE
PID 268 set thread context of 1356	268	LPO PRECISION MESHES 2352104321QQ.pdf.exe	Explorer.EXE
PID 1192 set thread context of 1356	1192	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

LPO PRECISION MESHES 2352104321QQ.pdf.exeLPO PRECISION MESHES 2352104321QQ.pdf.exemsiexec.exe

pid	process
452	LPO PRECISION MESHES 2352104321QQ.pdf.exe
452	LPO PRECISION MESHES 2352104321QQ.pdf.exe
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
1192	msiexec.exe
1192	msiexec.exe
1192	msiexec.exe
1192	msiexec.exe
1192	msiexec.exe
1192	msiexec.exe
1192	msiexec.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

LPO PRECISION MESHES 2352104321QQ.pdf.exemsiexec.exe

pid	process
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
1192	msiexec.exe
1192	msiexec.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

LPO PRECISION MESHES 2352104321QQ.pdf.exeLPO PRECISION MESHES 2352104321QQ.pdf.exemsiexec.exe

description	pid	process
Token: SeDebugPrivilege	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe
Token: SeDebugPrivilege	268	LPO PRECISION MESHES 2352104321QQ.pdf.exe
Token: SeDebugPrivilege	1192	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

LPO PRECISION MESHES 2352104321QQ.pdf.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 452 wrote to memory of 268	452	LPO PRECISION MESHES 2352104321QQ.pdf.exe	LPO PRECISION MESHES 2352104321QQ.pdf.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1356 wrote to memory of 1192	1356	Explorer.EXE	msiexec.exe
PID 1192 wrote to memory of 852	1192	msiexec.exe	cmd.exe
PID 1192 wrote to memory of 852	1192	msiexec.exe	cmd.exe
PID 1192 wrote to memory of 852	1192	msiexec.exe	cmd.exe
PID 1192 wrote to memory of 852	1192	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\LPO PRECISION MESHES 2352104321QQ.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\LPO PRECISION MESHES 2352104321QQ.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:452

C:\Users\Admin\AppData\Local\Temp\LPO PRECISION MESHES 2352104321QQ.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\LPO PRECISION MESHES 2352104321QQ.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1192

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\LPO PRECISION MESHES 2352104321QQ.pdf.exe"
3⤵
- Deletes itself
PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-71-0x0000000000550000-0x0000000000564000-memory.dmp

Filesize
80KB

Download
memory/268-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/268-66-0x000000000041EBA0-mapping.dmp

Download
memory/268-68-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/268-69-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/452-61-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/452-62-0x00000000004F0000-0x00000000004F9000-memory.dmp

Filesize
36KB

Download
memory/452-63-0x0000000005290000-0x0000000005317000-memory.dmp

Filesize
540KB

Download
memory/452-64-0x0000000000610000-0x0000000000653000-memory.dmp

Filesize
268KB

Download
memory/452-59-0x0000000000FA0000-0x0000000000FA1000-memory.dmp

Filesize
4KB

Download
memory/852-75-0x0000000000000000-mapping.dmp

Download
memory/1192-76-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/1192-73-0x0000000000000000-mapping.dmp

Download
memory/1192-74-0x00000000753E1000-0x00000000753E3000-memory.dmp

Filesize
8KB

Download
memory/1192-77-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/1192-78-0x0000000002060000-0x0000000002363000-memory.dmp

Filesize
3.0MB

Download
memory/1192-79-0x0000000002370000-0x0000000002403000-memory.dmp

Filesize
588KB

Download
memory/1356-72-0x0000000007260000-0x00000000073E4000-memory.dmp

Filesize
1.5MB

Download
memory/1356-70-0x00000000040B0000-0x0000000004195000-memory.dmp

Filesize
916KB

Download
memory/1356-80-0x0000000006590000-0x00000000066BC000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads