formbook | 5b03193577fcef8a56df4c9a781c91eef18dc3aed4db5b292c03a6deb31ed856

General

Target

PI.exe
Size

893KB
MD5

2c2689d8df4d2bcfa0ed7ec258dd2995
SHA1

b709bf1f74f0788bf531f6456377de5f11d3cbad
SHA256

347d1f815da2688725cc8fe7bfa9cc5369800b8d30bcddce7ac4bc6a21f972e7
SHA512

bad3421f762bf2376b9f8414008d8fe427612afcef7b202c31baed0d93e46ef19bcb67696a950438aedb0f4fee491f274fccc1c4d47262e4af60f81ba5e52ee9

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.middlehambooks.com/klf/

Decoy

podcastyourvote.com

northernlsx.com

guide4idiots.com

artebythesea.com

sapanyc.com

livinoutthedreamsco.com

thepowersinyou.com

protocolmodern.com

holdergear.com

betteringthehumanexperience.xyz

agnostec.com

royermaldonado.com

wealthtruckingco.com

artcode-software.com

microsoftpods.com

identityofplace.com

algoritas.com

grandpaurbanfarm.net

zahidibr.com

flawlessdrinking.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3860-126-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3860-127-0x000000000041EB20-mapping.dmp	formbook
behavioral2/memory/3428-134-0x0000000000110000-0x000000000013E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PI.exePI.execontrol.exe

description	pid	process	target process
PID 1968 set thread context of 3860	1968	PI.exe	PI.exe
PID 3860 set thread context of 1392	3860	PI.exe	Explorer.EXE
PID 3428 set thread context of 1392	3428	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

PI.exePI.execontrol.exe

pid	process
1968	PI.exe
1968	PI.exe
1968	PI.exe
3860	PI.exe
3860	PI.exe
3860	PI.exe
3860	PI.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe
3428	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PI.execontrol.exe

pid process

3860 PI.exe
3860 PI.exe
3860 PI.exe
3428 control.exe
3428 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PI.exePI.execontrol.exe

description pid process

Token: SeDebugPrivilege 1968 PI.exe
Token: SeDebugPrivilege 3860 PI.exe
Token: SeDebugPrivilege 3428 control.exe

pid	process
3860	PI.exe
3860	PI.exe
3860	PI.exe
3428	control.exe
3428	control.exe

description	pid	process
Token: SeDebugPrivilege	1968	PI.exe
Token: SeDebugPrivilege	3860	PI.exe
Token: SeDebugPrivilege	3428	control.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PI.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1968 wrote to memory of 3860	1968	PI.exe	PI.exe
PID 1968 wrote to memory of 3860	1968	PI.exe	PI.exe
PID 1968 wrote to memory of 3860	1968	PI.exe	PI.exe
PID 1968 wrote to memory of 3860	1968	PI.exe	PI.exe
PID 1968 wrote to memory of 3860	1968	PI.exe	PI.exe
PID 1968 wrote to memory of 3860	1968	PI.exe	PI.exe
PID 1392 wrote to memory of 3428	1392	Explorer.EXE	control.exe
PID 1392 wrote to memory of 3428	1392	Explorer.EXE	control.exe
PID 1392 wrote to memory of 3428	1392	Explorer.EXE	control.exe
PID 3428 wrote to memory of 2124	3428	control.exe	cmd.exe
PID 3428 wrote to memory of 2124	3428	control.exe	cmd.exe
PID 3428 wrote to memory of 2124	3428	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1968

C:\Users\Admin\AppData\Local\Temp\PI.exe
"C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3860

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3428

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI.exe"
3⤵
PID:2124

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1392-131-0x0000000002B40000-0x0000000002C05000-memory.dmp

Filesize
788KB

Download
memory/1392-138-0x0000000006490000-0x00000000065C4000-memory.dmp

Filesize
1.2MB

Download
memory/1968-120-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/1968-117-0x000000000AB60000-0x000000000AB61000-memory.dmp

Filesize
4KB

Download
memory/1968-119-0x000000000ACA0000-0x000000000ACA1000-memory.dmp

Filesize
4KB

Download
memory/1968-114-0x0000000000D00000-0x0000000000D01000-memory.dmp

Filesize
4KB

Download
memory/1968-121-0x0000000002F30000-0x0000000002F31000-memory.dmp

Filesize
4KB

Download
memory/1968-122-0x000000000AC00000-0x000000000AC01000-memory.dmp

Filesize
4KB

Download
memory/1968-123-0x000000000AC60000-0x000000000AC69000-memory.dmp

Filesize
36KB

Download
memory/1968-124-0x000000000B800000-0x000000000B886000-memory.dmp

Filesize
536KB

Download
memory/1968-125-0x0000000001600000-0x0000000001640000-memory.dmp

Filesize
256KB

Download
memory/1968-116-0x0000000007A40000-0x0000000007AC0000-memory.dmp

Filesize
512KB

Download
memory/1968-118-0x000000000B100000-0x000000000B101000-memory.dmp

Filesize
4KB

Download
memory/2124-136-0x0000000000000000-mapping.dmp

Download
memory/3428-134-0x0000000000110000-0x000000000013E000-memory.dmp

Filesize
184KB

Download
memory/3428-132-0x0000000000000000-mapping.dmp

Download
memory/3428-133-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/3428-135-0x00000000042E0000-0x0000000004600000-memory.dmp

Filesize
3.1MB

Download
memory/3428-137-0x00000000041E0000-0x0000000004273000-memory.dmp

Filesize
588KB

Download
memory/3860-130-0x00000000013B0000-0x00000000013C4000-memory.dmp

Filesize
80KB

Download
memory/3860-129-0x0000000001430000-0x0000000001750000-memory.dmp

Filesize
3.1MB

Download
memory/3860-127-0x000000000041EB20-mapping.dmp

Download
memory/3860-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads