formbook | 82a09751c8b51a1dc0aca4780015f833a2ef01ff6d3d5f2d98dcd588381bec82

General

Target

MSUtbPjUGib2dvd.exe
Size

733KB
MD5

2f7f29fe69e0b9bcd41c069689fd9cb5
SHA1

eacd339fda8902c242a9831dac733ac4ef77d1ee
SHA256

82a09751c8b51a1dc0aca4780015f833a2ef01ff6d3d5f2d98dcd588381bec82
SHA512

3becde1b46a4f640899bd4286fb0ba892e4cfe24a3c4c2c1b6975628ad71f75abaceedde64f1e0d870f2224236287875bd8f394cfe362cb2bca7b7a9ee712f1f

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.zmuoxb.com/ffy/

Decoy

kundk-gebaeudemanagement.com

theeconomicalmillennial.com

bigbuttdating.net

dauthomdubai.com

thesilverslipper.club

onwardmotionpictures.com

tl2009.com

nelivo.com

valuablebet.com

kupiokno-online.com

magnoot.xyz

blandiskodk.com

thevibes.net

tp-simogame.com

cigarettes-on-line.com

radiancebyreilly.com

1mame.net

fimimarket.com

cayupi.com

transperucorp.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2804-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2804-126-0x000000000041EB80-mapping.dmp	formbook
behavioral2/memory/2260-133-0x0000000003240000-0x000000000326E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

MSUtbPjUGib2dvd.exeMSUtbPjUGib2dvd.exemstsc.exe

description	pid	process	target process
PID 512 set thread context of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 2804 set thread context of 388	2804	MSUtbPjUGib2dvd.exe	Explorer.EXE
PID 2260 set thread context of 388	2260	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

MSUtbPjUGib2dvd.exemstsc.exe

pid	process
2804	MSUtbPjUGib2dvd.exe
2804	MSUtbPjUGib2dvd.exe
2804	MSUtbPjUGib2dvd.exe
2804	MSUtbPjUGib2dvd.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe
2260	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSUtbPjUGib2dvd.exemstsc.exe

pid process

2804 MSUtbPjUGib2dvd.exe
2804 MSUtbPjUGib2dvd.exe
2804 MSUtbPjUGib2dvd.exe
2260 mstsc.exe
2260 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

MSUtbPjUGib2dvd.exemstsc.exe

description pid process

Token: SeDebugPrivilege 2804 MSUtbPjUGib2dvd.exe
Token: SeDebugPrivilege 2260 mstsc.exe

description	pid	process
Token: SeDebugPrivilege	2804	MSUtbPjUGib2dvd.exe
Token: SeDebugPrivilege	2260	mstsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

MSUtbPjUGib2dvd.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 512 wrote to memory of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 512 wrote to memory of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 512 wrote to memory of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 512 wrote to memory of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 512 wrote to memory of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 512 wrote to memory of 2804	512	MSUtbPjUGib2dvd.exe	MSUtbPjUGib2dvd.exe
PID 388 wrote to memory of 2260	388	Explorer.EXE	mstsc.exe
PID 388 wrote to memory of 2260	388	Explorer.EXE	mstsc.exe
PID 388 wrote to memory of 2260	388	Explorer.EXE	mstsc.exe
PID 2260 wrote to memory of 592	2260	mstsc.exe	cmd.exe
PID 2260 wrote to memory of 592	2260	mstsc.exe	cmd.exe
PID 2260 wrote to memory of 592	2260	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe
"C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe
"C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2804

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\MSUtbPjUGib2dvd.exe"
3⤵
PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-130-0x0000000006490000-0x0000000006613000-memory.dmp

Filesize
1.5MB

Download
memory/388-137-0x00000000058B0000-0x0000000005989000-memory.dmp

Filesize
868KB

Download
memory/512-121-0x00000000054C0000-0x00000000054CD000-memory.dmp

Filesize
52KB

Download
memory/512-118-0x0000000005070000-0x0000000005071000-memory.dmp

Filesize
4KB

Download
memory/512-119-0x0000000005020000-0x0000000005021000-memory.dmp

Filesize
4KB

Download
memory/512-120-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/512-117-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/512-122-0x0000000004FD0000-0x00000000054CE000-memory.dmp

Filesize
5.0MB

Download
memory/512-123-0x0000000000F90000-0x0000000001009000-memory.dmp

Filesize
484KB

Download
memory/512-124-0x0000000008250000-0x0000000008286000-memory.dmp

Filesize
216KB

Download
memory/512-116-0x0000000004F30000-0x0000000004F31000-memory.dmp

Filesize
4KB

Download
memory/512-114-0x00000000006A0000-0x00000000006A1000-memory.dmp

Filesize
4KB

Download
memory/592-134-0x0000000000000000-mapping.dmp

Download
memory/2260-131-0x0000000000000000-mapping.dmp

Download
memory/2260-133-0x0000000003240000-0x000000000326E000-memory.dmp

Filesize
184KB

Download
memory/2260-132-0x0000000000C40000-0x0000000000F3C000-memory.dmp

Filesize
3.0MB

Download
memory/2260-135-0x0000000005160000-0x0000000005480000-memory.dmp

Filesize
3.1MB

Download
memory/2260-136-0x00000000050C0000-0x0000000005153000-memory.dmp

Filesize
588KB

Download
memory/2804-128-0x0000000001450000-0x0000000001770000-memory.dmp

Filesize
3.1MB

Download
memory/2804-129-0x0000000001920000-0x0000000001934000-memory.dmp

Filesize
80KB

Download
memory/2804-126-0x000000000041EB80-mapping.dmp

Download
memory/2804-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads