formbook | 8029efcb7391f5085588b26992a6ecf4a5b59f036f41ec21ce720bf98e75d512

General

Target

4.exe
Size

611KB
MD5

d3167fb7d23587aa700519d4392a9991
SHA1

bbaa348775bbb75075c5caf22c5936ea6ac8d265
SHA256

8029efcb7391f5085588b26992a6ecf4a5b59f036f41ec21ce720bf98e75d512
SHA512

56556c1542301412a1276f8f672294d32e07949ae8c490c93343d8afc0211b1a9c8a3e3fd4813c505c0e8f895d06ed22b5970bee4c50969e91e21b4fec6b3c34

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3144-119-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3144-121-0x0000000010410000-0x000000001043D000-memory.dmp	formbook
behavioral2/memory/1076-128-0x0000000002D60000-0x0000000002D8D000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

Processes:

dialer.exemsdt.exe

description	pid	process	target process
PID 3144 set thread context of 3024	3144	dialer.exe	Explorer.EXE
PID 1076 set thread context of 3024	1076	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 52 IoCs

Processes:

dialer.exemsdt.exe

pid	process
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
3144	dialer.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe
1076	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

dialer.exemsdt.exe

pid process

3144 dialer.exe
3144 dialer.exe
3144 dialer.exe
1076 msdt.exe
1076 msdt.exe

pid	process
3024	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

dialer.exeExplorer.EXEmsdt.exe

description	pid	process
Token: SeDebugPrivilege	3144	dialer.exe
Token: SeShutdownPrivilege	3024	Explorer.EXE
Token: SeCreatePagefilePrivilege	3024	Explorer.EXE
Token: SeDebugPrivilege	1076	msdt.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 4000 wrote to memory of 3144	4000	4.exe	dialer.exe
PID 4000 wrote to memory of 3144	4000	4.exe	dialer.exe
PID 4000 wrote to memory of 3144	4000	4.exe	dialer.exe
PID 4000 wrote to memory of 3144	4000	4.exe	dialer.exe
PID 4000 wrote to memory of 3144	4000	4.exe	dialer.exe
PID 4000 wrote to memory of 3144	4000	4.exe	dialer.exe
PID 3024 wrote to memory of 1076	3024	Explorer.EXE	msdt.exe
PID 3024 wrote to memory of 1076	3024	Explorer.EXE	msdt.exe
PID 3024 wrote to memory of 1076	3024	Explorer.EXE	msdt.exe
PID 1076 wrote to memory of 3288	1076	msdt.exe	cmd.exe
PID 1076 wrote to memory of 3288	1076	msdt.exe	cmd.exe
PID 1076 wrote to memory of 3288	1076	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\4.exe
"C:\Users\Admin\AppData\Local\Temp\4.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4000

C:\Windows\SysWOW64\dialer.exe
C:\Windows\System32\dialer.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3144

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\dialer.exe"
3⤵
PID:3288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-125-0x0000000000000000-mapping.dmp

Download
memory/1076-130-0x00000000045E0000-0x0000000004673000-memory.dmp

Filesize
588KB

Download
memory/1076-129-0x0000000004720000-0x0000000004A40000-memory.dmp

Filesize
3.1MB

Download
memory/1076-127-0x0000000000180000-0x00000000002F3000-memory.dmp

Filesize
1.4MB

Download
memory/1076-128-0x0000000002D60000-0x0000000002D8D000-memory.dmp

Filesize
180KB

Download
memory/3024-131-0x00000000064D0000-0x00000000065BB000-memory.dmp

Filesize
940KB

Download
memory/3024-124-0x0000000006600000-0x0000000006773000-memory.dmp

Filesize
1.4MB

Download
memory/3144-121-0x0000000010410000-0x000000001043D000-memory.dmp

Filesize
180KB

Download
memory/3144-120-0x0000000002EE0000-0x0000000002EE1000-memory.dmp

Filesize
4KB

Download
memory/3144-123-0x0000000004D50000-0x0000000004D64000-memory.dmp

Filesize
80KB

Download
memory/3144-122-0x0000000004EC0000-0x00000000051E0000-memory.dmp

Filesize
3.1MB

Download
memory/3144-119-0x0000000000000000-mapping.dmp

Download
memory/3288-126-0x0000000000000000-mapping.dmp

Download
memory/4000-114-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/4000-116-0x0000000002450000-0x000000000246A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads