formbook | 82a09751c8b51a1dc0aca4780015f833a2ef01ff6d3d5f2d98dcd588381bec82

General

Target

MSUtbPjUGib2dvd.exe
Size

733KB
MD5

2f7f29fe69e0b9bcd41c069689fd9cb5
SHA1

eacd339fda8902c242a9831dac733ac4ef77d1ee
SHA256

82a09751c8b51a1dc0aca4780015f833a2ef01ff6d3d5f2d98dcd588381bec82
SHA512

3becde1b46a4f640899bd4286fb0ba892e4cfe24a3c4c2c1b6975628ad71f75abaceedde64f1e0d870f2224236287875bd8f394cfe362cb2bca7b7a9ee712f1f

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.zmuoxb.com/ffy/

Decoy

kundk-gebaeudemanagement.com

theeconomicalmillennial.com

bigbuttdating.net

dauthomdubai.com

thesilverslipper.club

onwardmotionpictures.com

tl2009.com

nelivo.com

valuablebet.com

kupiokno-online.com

magnoot.xyz

blandiskodk.com

thevibes.net

tp-simogame.com

cigarettes-on-line.com

radiancebyreilly.com

1mame.net

fimimarket.com

cayupi.com

transperucorp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/268-65-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/268-66-0x000000000041EB80-mapping.dmp	formbook
behavioral1/memory/1768-74-0x0000000000070000-0x000000000009E000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1812 cmd.exe

pid	process
1812	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSUtbPjUGib2dvd.exeMSUtbPjUGib2dvd.exewscript.exe

description	pid	process	target process
PID 1632 set thread context of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 268 set thread context of 1244	268	MSUtbPjUGib2dvd.exe	Explorer.EXE
PID 1768 set thread context of 1244	1768	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

MSUtbPjUGib2dvd.exewscript.exe

pid	process
268	MSUtbPjUGib2dvd.exe
268	MSUtbPjUGib2dvd.exe
1768	wscript.exe
1768	wscript.exe
1768	wscript.exe
1768	wscript.exe
1768	wscript.exe
1768	wscript.exe
1768	wscript.exe
1768	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSUtbPjUGib2dvd.exewscript.exe

pid process

268 MSUtbPjUGib2dvd.exe
268 MSUtbPjUGib2dvd.exe
268 MSUtbPjUGib2dvd.exe
1768 wscript.exe
1768 wscript.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSUtbPjUGib2dvd.exewscript.exe

description pid process

Token: SeDebugPrivilege 268 MSUtbPjUGib2dvd.exe
Token: SeDebugPrivilege 1768 wscript.exe

description	pid	process
Token: SeDebugPrivilege	268	MSUtbPjUGib2dvd.exe
Token: SeDebugPrivilege	1768	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

MSUtbPjUGib2dvd.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1632 wrote to memory of 268	1632	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 1244 wrote to memory of 1768	1244	Explorer.EXE	wscript.exe
PID 1244 wrote to memory of 1768	1244	Explorer.EXE	wscript.exe
PID 1244 wrote to memory of 1768	1244	Explorer.EXE	wscript.exe
PID 1244 wrote to memory of 1768	1244	Explorer.EXE	wscript.exe
PID 1768 wrote to memory of 1812	1768	wscript.exe	cmd.exe
PID 1768 wrote to memory of 1812	1768	wscript.exe	cmd.exe
PID 1768 wrote to memory of 1812	1768	wscript.exe	cmd.exe
PID 1768 wrote to memory of 1812	1768	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1244

C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe
"C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1632

C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe
"C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:268

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:572

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe"
3⤵
- Deletes itself
PID:1812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-66-0x000000000041EB80-mapping.dmp

Download
memory/268-69-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/268-68-0x0000000000C30000-0x0000000000F33000-memory.dmp

Filesize
3.0MB

Download
memory/268-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1244-77-0x0000000004C30000-0x0000000004D8B000-memory.dmp

Filesize
1.4MB

Download
memory/1244-70-0x0000000003EF0000-0x0000000004059000-memory.dmp

Filesize
1.4MB

Download
memory/1632-64-0x0000000002170000-0x00000000021A6000-memory.dmp

Filesize
216KB

Download
memory/1632-59-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/1632-63-0x0000000004F00000-0x0000000004F79000-memory.dmp

Filesize
484KB

Download
memory/1632-62-0x00000000007C0000-0x00000000007CD000-memory.dmp

Filesize
52KB

Download
memory/1632-61-0x0000000004DC0000-0x0000000004DC1000-memory.dmp

Filesize
4KB

Download
memory/1768-71-0x0000000000000000-mapping.dmp

Download
memory/1768-74-0x0000000000070000-0x000000000009E000-memory.dmp

Filesize
184KB

Download
memory/1768-75-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/1768-73-0x0000000000E90000-0x0000000000EB6000-memory.dmp

Filesize
152KB

Download
memory/1768-76-0x00000000022C0000-0x0000000002353000-memory.dmp

Filesize
588KB

Download
memory/1812-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads