formbook | 929fd55e632471f4f35295e574c6814a3de9662398b7a606e352ecba9c52de7e

General

Target

w73FtMA4ZTl9NFm.exe
Size

762KB
MD5

ff44bfe6955f4d11f915b4a0b818fc7c
SHA1

3e094caff011346ad02aeafcb5769a519cf10dc0
SHA256

929fd55e632471f4f35295e574c6814a3de9662398b7a606e352ecba9c52de7e
SHA512

f4ee80c0bb0bae5532b880ffa704d8d99f06c0c6b3699b95be3e802347345b7cc62251ff16a0a1023303a1a72f987d39be271579652c0364485a82e7e2ab649d

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.naiping8.com/blm/

Decoy

basilaws.com

laesses.com

isematsudai.com

cafperfect.com

listocalistoanimation.com

bikesofthefuture.com

sweette.com

instagramhelpsnow.com

wuxians.com

canadianpayday.loans

tiklaulan.xyz

marketingbuddhi.com

centrocaninopochs.com

doodletrends.com

praiship.com

alghuta.com

kompramania.com

thenewdawncompany.com

shopthegoodbar.com

emergencyuavsolutions.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3788-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3788-126-0x000000000041EAF0-mapping.dmp	formbook
behavioral2/memory/2728-134-0x0000000000110000-0x000000000013E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

w73FtMA4ZTl9NFm.exew73FtMA4ZTl9NFm.exesvchost.exe

description	pid	process	target process
PID 808 set thread context of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 3788 set thread context of 3060	3788	w73FtMA4ZTl9NFm.exe	Explorer.EXE
PID 2728 set thread context of 3060	2728	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

w73FtMA4ZTl9NFm.exesvchost.exe

pid	process
3788	w73FtMA4ZTl9NFm.exe
3788	w73FtMA4ZTl9NFm.exe
3788	w73FtMA4ZTl9NFm.exe
3788	w73FtMA4ZTl9NFm.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe
2728	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

w73FtMA4ZTl9NFm.exesvchost.exe

pid process

3788 w73FtMA4ZTl9NFm.exe
3788 w73FtMA4ZTl9NFm.exe
3788 w73FtMA4ZTl9NFm.exe
2728 svchost.exe
2728 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

w73FtMA4ZTl9NFm.exesvchost.exe

description pid process

Token: SeDebugPrivilege 3788 w73FtMA4ZTl9NFm.exe
Token: SeDebugPrivilege 2728 svchost.exe

description	pid	process
Token: SeDebugPrivilege	3788	w73FtMA4ZTl9NFm.exe
Token: SeDebugPrivilege	2728	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

w73FtMA4ZTl9NFm.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 808 wrote to memory of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 808 wrote to memory of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 808 wrote to memory of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 808 wrote to memory of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 808 wrote to memory of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 808 wrote to memory of 3788	808	w73FtMA4ZTl9NFm.exe	w73FtMA4ZTl9NFm.exe
PID 3060 wrote to memory of 2728	3060	Explorer.EXE	svchost.exe
PID 3060 wrote to memory of 2728	3060	Explorer.EXE	svchost.exe
PID 3060 wrote to memory of 2728	3060	Explorer.EXE	svchost.exe
PID 2728 wrote to memory of 3444	2728	svchost.exe	cmd.exe
PID 2728 wrote to memory of 3444	2728	svchost.exe	cmd.exe
PID 2728 wrote to memory of 3444	2728	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3060

C:\Users\Admin\AppData\Local\Temp\w73FtMA4ZTl9NFm.exe
"C:\Users\Admin\AppData\Local\Temp\w73FtMA4ZTl9NFm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:808

C:\Users\Admin\AppData\Local\Temp\w73FtMA4ZTl9NFm.exe
"C:\Users\Admin\AppData\Local\Temp\w73FtMA4ZTl9NFm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3788

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2728

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\w73FtMA4ZTl9NFm.exe"
3⤵
PID:3444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/808-114-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/808-116-0x0000000004DA0000-0x0000000004DA1000-memory.dmp

Filesize
4KB

Download
memory/808-117-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/808-118-0x0000000004EE0000-0x0000000004EE1000-memory.dmp

Filesize
4KB

Download
memory/808-119-0x0000000004E40000-0x000000000533E000-memory.dmp

Filesize
5.0MB

Download
memory/808-120-0x0000000004D70000-0x0000000004D71000-memory.dmp

Filesize
4KB

Download
memory/808-121-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/808-122-0x0000000004ED0000-0x0000000004EDE000-memory.dmp

Filesize
56KB

Download
memory/808-123-0x0000000005BC0000-0x0000000005C6C000-memory.dmp

Filesize
688KB

Download
memory/808-124-0x0000000000D40000-0x0000000000DA6000-memory.dmp

Filesize
408KB

Download
memory/2728-131-0x0000000000000000-mapping.dmp

Download
memory/2728-134-0x0000000000110000-0x000000000013E000-memory.dmp

Filesize
184KB

Download
memory/2728-133-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/2728-135-0x0000000002C90000-0x0000000002FB0000-memory.dmp

Filesize
3.1MB

Download
memory/2728-136-0x0000000002B00000-0x0000000002B93000-memory.dmp

Filesize
588KB

Download
memory/3060-130-0x0000000005AD0000-0x0000000005BD4000-memory.dmp

Filesize
1.0MB

Download
memory/3060-137-0x0000000006950000-0x0000000006AA3000-memory.dmp

Filesize
1.3MB

Download
memory/3444-132-0x0000000000000000-mapping.dmp

Download
memory/3788-126-0x000000000041EAF0-mapping.dmp

Download
memory/3788-129-0x0000000001540000-0x0000000001554000-memory.dmp

Filesize
80KB

Download
memory/3788-128-0x00000000011E0000-0x0000000001500000-memory.dmp

Filesize
3.1MB

Download
memory/3788-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads