formbook | c76e376abdeb8103dc00f7c3b68cdf6a685cc5578269b83edc249fa0693cb973

General

Target

pending orders0308 D2101002610 pdf.exe
Size

1.0MB
MD5

346fb2689c7f90207ce5df0b60be8b14
SHA1

3eee0df26d21393485821a95c2beffc8797d090b
SHA256

6a900970eda971ac9e4cc4263b78b6145ef6c5a94783c572805fdf3c85a8503a
SHA512

9875b395dc34b35f011916d89f3647b155821a4627256d1a7fd3c7af655dcec1e153b1ddcd764e957a404547c4cb6b930afbc358f065ec9671030cf82edf02f8

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.gloomyca.com/chue/

Decoy

hairdewproducts.com

whssboys.net

visual-promotions.com

alsgotyaexteriorcleaning.com

conwayconsultant.com

sjlartistrydesign.info

organicroomservice.com

elatedscents.com

selfauthering.com

variablemonsters.com

thedietcop.com

openhouseshamptonroads.com

tyrantthemes.com

trumppowercatamarans.com

yznx.xyz

jshfoodpantry.com

larmealoeil.com

biztradelines.com

axawinterthur.sucks

inspiredtravels.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/680-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/680-126-0x000000000041ED00-mapping.dmp	formbook
behavioral2/memory/2104-135-0x0000000001000000-0x000000000102E000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

pending orders0308 D2101002610 pdf.exepending orders0308 D2101002610 pdf.exeNETSTAT.EXE

description	pid	process	target process
PID 3176 set thread context of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 680 set thread context of 2716	680	pending orders0308 D2101002610 pdf.exe	Explorer.EXE
PID 680 set thread context of 2716	680	pending orders0308 D2101002610 pdf.exe	Explorer.EXE
PID 2104 set thread context of 2716	2104	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2104 NETSTAT.EXE

pid	process
2104	NETSTAT.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

NETSTAT.EXE

description	ioc	process
Key created	\Registry\User\S-1-5-21-3686645723-710336880-414668232-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

pending orders0308 D2101002610 pdf.exepending orders0308 D2101002610 pdf.exeNETSTAT.EXE

pid	process
3176	pending orders0308 D2101002610 pdf.exe
3176	pending orders0308 D2101002610 pdf.exe
3176	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 8 IoCs

Processes:

pending orders0308 D2101002610 pdf.exeNETSTAT.EXE

pid	process
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
680	pending orders0308 D2101002610 pdf.exe
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE
2104	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 7 IoCs

Processes:

pending orders0308 D2101002610 pdf.exepending orders0308 D2101002610 pdf.exeNETSTAT.EXEExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3176	pending orders0308 D2101002610 pdf.exe
Token: SeDebugPrivilege	680	pending orders0308 D2101002610 pdf.exe
Token: SeDebugPrivilege	2104	NETSTAT.EXE
Token: SeShutdownPrivilege	2716	Explorer.EXE
Token: SeCreatePagefilePrivilege	2716	Explorer.EXE
Token: SeShutdownPrivilege	2716	Explorer.EXE
Token: SeCreatePagefilePrivilege	2716	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

pending orders0308 D2101002610 pdf.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 3176 wrote to memory of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 3176 wrote to memory of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 3176 wrote to memory of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 3176 wrote to memory of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 3176 wrote to memory of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 3176 wrote to memory of 680	3176	pending orders0308 D2101002610 pdf.exe	pending orders0308 D2101002610 pdf.exe
PID 2716 wrote to memory of 2104	2716	Explorer.EXE	NETSTAT.EXE
PID 2716 wrote to memory of 2104	2716	Explorer.EXE	NETSTAT.EXE
PID 2716 wrote to memory of 2104	2716	Explorer.EXE	NETSTAT.EXE
PID 2104 wrote to memory of 4068	2104	NETSTAT.EXE	Firefox.exe
PID 2104 wrote to memory of 4068	2104	NETSTAT.EXE	Firefox.exe
PID 2104 wrote to memory of 4068	2104	NETSTAT.EXE	Firefox.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716

C:\Users\Admin\AppData\Local\Temp\pending orders0308 D2101002610 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pending orders0308 D2101002610 pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3176

C:\Users\Admin\AppData\Local\Temp\pending orders0308 D2101002610 pdf.exe
"C:\Users\Admin\AppData\Local\Temp\pending orders0308 D2101002610 pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:680

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1888

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104

C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
3⤵
PID:4068

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/680-131-0x00000000013B0000-0x00000000013C4000-memory.dmp

Filesize
80KB

Download
memory/680-129-0x0000000000F70000-0x0000000000F84000-memory.dmp

Filesize
80KB

Download
memory/680-128-0x00000000013E0000-0x0000000001700000-memory.dmp

Filesize
3.1MB

Download
memory/680-126-0x000000000041ED00-mapping.dmp

Download
memory/2104-134-0x0000000001180000-0x000000000118B000-memory.dmp

Filesize
44KB

Download
memory/2104-133-0x0000000000000000-mapping.dmp

Download
memory/2104-137-0x0000000003AF0000-0x0000000003B83000-memory.dmp

Filesize
588KB

Download
memory/2104-136-0x00000000037D0000-0x0000000003AF0000-memory.dmp

Filesize
3.1MB

Download
memory/2104-135-0x0000000001000000-0x000000000102E000-memory.dmp

Filesize
184KB

Download
memory/2716-132-0x0000000002A70000-0x0000000002B70000-memory.dmp

Filesize
1024KB

Download
memory/2716-130-0x0000000005FE0000-0x0000000006183000-memory.dmp

Filesize
1.6MB

Download
memory/2716-138-0x0000000005180000-0x0000000005271000-memory.dmp

Filesize
964KB

Download
memory/3176-120-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3176-117-0x0000000005080000-0x0000000005081000-memory.dmp

Filesize
4KB

Download
memory/3176-116-0x0000000005580000-0x0000000005581000-memory.dmp

Filesize
4KB

Download
memory/3176-121-0x0000000005AC0000-0x0000000005AC9000-memory.dmp

Filesize
36KB

Download
memory/3176-119-0x0000000005060000-0x0000000005061000-memory.dmp

Filesize
4KB

Download
memory/3176-114-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/3176-124-0x00000000082B0000-0x00000000082E3000-memory.dmp

Filesize
204KB

Download
memory/3176-123-0x0000000000FD0000-0x000000000104A000-memory.dmp

Filesize
488KB

Download
memory/3176-122-0x000000007FAF0000-0x000000007FAF1000-memory.dmp

Filesize
4KB

Download
memory/3176-118-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4068-139-0x0000000000000000-mapping.dmp

Download
memory/4068-140-0x00007FF766550000-0x00007FF7665E3000-memory.dmp

Filesize
588KB

Download
memory/4068-141-0x0000014C39AC0000-0x0000014C39C1A000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads