formbook | b9ec25f02746e41791c31aa20c281f9a490a999962853f4b5122e94fb2f1aec2

General

Target

IMG_9539483238436245,jpg.exe
Size

912KB
MD5

cb68abaabc06c778c17c75739d46f49c
SHA1

4001f18d286f239b11894d70a4e223ddf789c465
SHA256

b9ec25f02746e41791c31aa20c281f9a490a999962853f4b5122e94fb2f1aec2
SHA512

43ccee3402df74e05a45b510d5f82ed6206fefb08e93c8bc1f6e2bac29cf23ddd472ff35e9ab5e6f3bdcbf93be13218420993f9dbe06d93ca06652a721a83bfd

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.supinapp.com/grv/

Decoy

morganofatlanta.com

vz473.com

hengetelt.com

bailcally.com

virtuosoonline.com

tenthousandli.com

ohanamascota.com

digi-plates.com

prismagtech.com

we-cinema.com

372680.com

smartautoexpert.xyz

mrxzg.com

apartment-brussels.com

reverseincubator.com

linkasean.com

yummicrabva.com

diguchaye.com

reaktorfatura.com

thecatsaysno.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3872-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3872-126-0x000000000041EC20-mapping.dmp	formbook
behavioral2/memory/1712-133-0x0000000002B70000-0x0000000002B9E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

IMG_9539483238436245,jpg.exeIMG_9539483238436245,jpg.execolorcpl.exe

description	pid	process	target process
PID 4020 set thread context of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 3872 set thread context of 3064	3872	IMG_9539483238436245,jpg.exe	Explorer.EXE
PID 1712 set thread context of 3064	1712	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

IMG_9539483238436245,jpg.exeIMG_9539483238436245,jpg.execolorcpl.exe

pid	process
4020	IMG_9539483238436245,jpg.exe
4020	IMG_9539483238436245,jpg.exe
4020	IMG_9539483238436245,jpg.exe
3872	IMG_9539483238436245,jpg.exe
3872	IMG_9539483238436245,jpg.exe
3872	IMG_9539483238436245,jpg.exe
3872	IMG_9539483238436245,jpg.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe
1712	colorcpl.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

IMG_9539483238436245,jpg.execolorcpl.exe

pid process

3872 IMG_9539483238436245,jpg.exe
3872 IMG_9539483238436245,jpg.exe
3872 IMG_9539483238436245,jpg.exe
1712 colorcpl.exe
1712 colorcpl.exe

pid	process
3872	IMG_9539483238436245,jpg.exe
3872	IMG_9539483238436245,jpg.exe
3872	IMG_9539483238436245,jpg.exe
1712	colorcpl.exe
1712	colorcpl.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

IMG_9539483238436245,jpg.exeIMG_9539483238436245,jpg.execolorcpl.exe

description	pid	process
Token: SeDebugPrivilege	4020	IMG_9539483238436245,jpg.exe
Token: SeDebugPrivilege	3872	IMG_9539483238436245,jpg.exe
Token: SeDebugPrivilege	1712	colorcpl.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

IMG_9539483238436245,jpg.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 4020 wrote to memory of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 4020 wrote to memory of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 4020 wrote to memory of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 4020 wrote to memory of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 4020 wrote to memory of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 4020 wrote to memory of 3872	4020	IMG_9539483238436245,jpg.exe	IMG_9539483238436245,jpg.exe
PID 3064 wrote to memory of 1712	3064	Explorer.EXE	colorcpl.exe
PID 3064 wrote to memory of 1712	3064	Explorer.EXE	colorcpl.exe
PID 3064 wrote to memory of 1712	3064	Explorer.EXE	colorcpl.exe
PID 1712 wrote to memory of 3828	1712	colorcpl.exe	cmd.exe
PID 1712 wrote to memory of 3828	1712	colorcpl.exe	cmd.exe
PID 1712 wrote to memory of 3828	1712	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\IMG_9539483238436245,jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\IMG_9539483238436245,jpg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4020
- - C:\Users\Admin\AppData\Local\Temp\IMG_9539483238436245,jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\IMG_9539483238436245,jpg.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3872
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\IMG_9539483238436245,jpg.exe"
    3⤵
    PID:3828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1712-136-0x0000000004450000-0x00000000044E3000-memory.dmp

Filesize
588KB

Download
memory/1712-135-0x00000000045F0000-0x0000000004910000-memory.dmp

Filesize
3.1MB

Download
memory/1712-132-0x0000000000180000-0x0000000000199000-memory.dmp

Filesize
100KB

Download
memory/1712-133-0x0000000002B70000-0x0000000002B9E000-memory.dmp

Filesize
184KB

Download
memory/1712-131-0x0000000000000000-mapping.dmp

Download
memory/3064-130-0x0000000004DB0000-0x0000000004F1F000-memory.dmp

Filesize
1.4MB

Download
memory/3064-137-0x00000000043C0000-0x00000000044CE000-memory.dmp

Filesize
1.1MB

Download
memory/3828-134-0x0000000000000000-mapping.dmp

Download
memory/3872-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3872-128-0x0000000001110000-0x0000000001430000-memory.dmp

Filesize
3.1MB

Download
memory/3872-129-0x0000000001090000-0x00000000010A4000-memory.dmp

Filesize
80KB

Download
memory/3872-126-0x000000000041EC20-mapping.dmp

Download
memory/4020-122-0x0000000004B50000-0x0000000004BEC000-memory.dmp

Filesize
624KB

Download
memory/4020-123-0x0000000000AD0000-0x0000000000B4C000-memory.dmp

Filesize
496KB

Download
memory/4020-114-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/4020-124-0x0000000007E40000-0x0000000007E79000-memory.dmp

Filesize
228KB

Download
memory/4020-121-0x0000000004BD0000-0x0000000004BD9000-memory.dmp

Filesize
36KB

Download
memory/4020-120-0x0000000004EA0000-0x0000000004EA1000-memory.dmp

Filesize
4KB

Download
memory/4020-119-0x0000000004B70000-0x0000000004B71000-memory.dmp

Filesize
4KB

Download
memory/4020-118-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/4020-117-0x0000000005190000-0x0000000005191000-memory.dmp

Filesize
4KB

Download
memory/4020-116-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads