formbook | 9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472

General

Target

RFQ.exe
Size

845KB
MD5

90064098dcdf665a8affc5825e4e7815
SHA1

81adbb9921401a4bb567f665d3dabeff61278a04
SHA256

9ca276f44ec7a1e4745a4d880072d374fd6db44efb6e9c2b44e80cfcf0274472
SHA512

e01a5d638e81a9665e49743229f2194b3201832e50855ce1c4a701985c0902ed4e21954d4afab1d1f99c348461eeb58121b7d2b0a05f9ce53abc4190d9382f79

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.consultinggroupwv.com/ple/

Decoy

antibuildshop.com

saveyourgrandchildren.com

nelivo.com

skatelife.net

shiftingbaba.com

5daykitchen.contractors

influenciadoradesucesso.com

fuutu.com

mejor-producto.com

xianqianbao99.com

uq6eik5mo4.com

kn-security.com

dangerouslyme.com

whmznx.club

teteperformance.com

gospelofrecovery.com

lakidsacting.com

halojabar.com

easytolovehardtodefine.com

safeairseal.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3628-126-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3628-127-0x000000000041EBE0-mapping.dmp	formbook
behavioral2/memory/3180-134-0x0000000000D60000-0x0000000000D8E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ.exeRFQ.execontrol.exe

description	pid	process	target process
PID 4044 set thread context of 3628	4044	RFQ.exe	RFQ.exe
PID 3628 set thread context of 3028	3628	RFQ.exe	Explorer.EXE
PID 3180 set thread context of 3028	3180	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

RFQ.exeRFQ.execontrol.exe

pid	process
4044	RFQ.exe
4044	RFQ.exe
4044	RFQ.exe
3628	RFQ.exe
3628	RFQ.exe
3628	RFQ.exe
3628	RFQ.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe
3180	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ.execontrol.exe

pid process

3628 RFQ.exe
3628 RFQ.exe
3628 RFQ.exe
3180 control.exe
3180 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

RFQ.exeRFQ.execontrol.exe

description pid process

Token: SeDebugPrivilege 4044 RFQ.exe
Token: SeDebugPrivilege 3628 RFQ.exe
Token: SeDebugPrivilege 3180 control.exe

pid	process
3628	RFQ.exe
3628	RFQ.exe
3628	RFQ.exe
3180	control.exe
3180	control.exe

description	pid	process
Token: SeDebugPrivilege	4044	RFQ.exe
Token: SeDebugPrivilege	3628	RFQ.exe
Token: SeDebugPrivilege	3180	control.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

RFQ.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 4044 wrote to memory of 3628	4044	RFQ.exe	RFQ.exe
PID 4044 wrote to memory of 3628	4044	RFQ.exe	RFQ.exe
PID 4044 wrote to memory of 3628	4044	RFQ.exe	RFQ.exe
PID 4044 wrote to memory of 3628	4044	RFQ.exe	RFQ.exe
PID 4044 wrote to memory of 3628	4044	RFQ.exe	RFQ.exe
PID 4044 wrote to memory of 3628	4044	RFQ.exe	RFQ.exe
PID 3028 wrote to memory of 3180	3028	Explorer.EXE	control.exe
PID 3028 wrote to memory of 3180	3028	Explorer.EXE	control.exe
PID 3028 wrote to memory of 3180	3028	Explorer.EXE	control.exe
PID 3180 wrote to memory of 3868	3180	control.exe	cmd.exe
PID 3180 wrote to memory of 3868	3180	control.exe	cmd.exe
PID 3180 wrote to memory of 3868	3180	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4044

C:\Users\Admin\AppData\Local\Temp\RFQ.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3628

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3892

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ.exe"
3⤵
PID:3868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-138-0x0000000005420000-0x0000000005532000-memory.dmp

Filesize
1.1MB

Download
memory/3028-131-0x00000000065D0000-0x000000000673B000-memory.dmp

Filesize
1.4MB

Download
memory/3180-137-0x0000000004D90000-0x0000000004E23000-memory.dmp

Filesize
588KB

Download
memory/3180-136-0x0000000004E50000-0x0000000005170000-memory.dmp

Filesize
3.1MB

Download
memory/3180-133-0x0000000001240000-0x0000000001260000-memory.dmp

Filesize
128KB

Download
memory/3180-134-0x0000000000D60000-0x0000000000D8E000-memory.dmp

Filesize
184KB

Download
memory/3180-132-0x0000000000000000-mapping.dmp

Download
memory/3628-127-0x000000000041EBE0-mapping.dmp

Download
memory/3628-130-0x0000000000F40000-0x0000000000F54000-memory.dmp

Filesize
80KB

Download
memory/3628-129-0x0000000001260000-0x0000000001580000-memory.dmp

Filesize
3.1MB

Download
memory/3628-126-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3868-135-0x0000000000000000-mapping.dmp

Download
memory/4044-120-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4044-125-0x00000000011B0000-0x000000000122C000-memory.dmp

Filesize
496KB

Download
memory/4044-124-0x00000000060A0000-0x0000000006159000-memory.dmp

Filesize
740KB

Download
memory/4044-123-0x000000007EE20000-0x000000007EE21000-memory.dmp

Filesize
4KB

Download
memory/4044-122-0x0000000005610000-0x000000000561D000-memory.dmp

Filesize
52KB

Download
memory/4044-121-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4044-114-0x00000000008C0000-0x00000000008C1000-memory.dmp

Filesize
4KB

Download
memory/4044-119-0x0000000005250000-0x000000000574E000-memory.dmp

Filesize
5.0MB

Download
memory/4044-118-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/4044-117-0x0000000005750000-0x0000000005751000-memory.dmp

Filesize
4KB

Download
memory/4044-116-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads