formbook | 1ab3c31624f7aed4e2ec9feecee3cff24e8904709800508e13b6526369e02236

General

Target

PO506202100.exe
Size

742KB
MD5

7c1896eeb884021f4d74144ec78be2e8
SHA1

b4fb3b31f69fc5b048eeb43ea6f8fd97f1fb8f7a
SHA256

1ab3c31624f7aed4e2ec9feecee3cff24e8904709800508e13b6526369e02236
SHA512

e90782dc8b8cbfa8f6052080c6daeaffccede01d57bb944a4d52b9a0fae5fe53009ba0dd4b8c5932ee09c808db38fba27bd7bc6d570d55936b49c7259bc4d935

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.joomlas123.info/3nop/

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1196-66-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/1196-69-0x0000000010410000-0x000000001043D000-memory.dmp	formbook
behavioral1/memory/1364-74-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

Processes:

secinit.exehelp.exe

description	pid	process	target process
PID 1196 set thread context of 1264	1196	secinit.exe	Explorer.EXE
PID 1364 set thread context of 1264	1364	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

secinit.exehelp.exe

pid	process
1196	secinit.exe
1196	secinit.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe
1364	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

secinit.exehelp.exe

pid process

1196 secinit.exe
1196 secinit.exe
1196 secinit.exe
1364 help.exe
1364 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

secinit.exehelp.exe

description pid process

Token: SeDebugPrivilege 1196 secinit.exe
Token: SeDebugPrivilege 1364 help.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE
1264 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1196	secinit.exe
Token: SeDebugPrivilege	1364	help.exe

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

pid	process
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE
1264	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO506202100.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 788 wrote to memory of 1196	788	PO506202100.exe	secinit.exe
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	help.exe
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	help.exe
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	help.exe
PID 1264 wrote to memory of 1364	1264	Explorer.EXE	help.exe
PID 1364 wrote to memory of 472	1364	help.exe	cmd.exe
PID 1364 wrote to memory of 472	1364	help.exe	cmd.exe
PID 1364 wrote to memory of 472	1364	help.exe	cmd.exe
PID 1364 wrote to memory of 472	1364	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1264

C:\Users\Admin\AppData\Local\Temp\PO506202100.exe
"C:\Users\Admin\AppData\Local\Temp\PO506202100.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:788

C:\Windows\SysWOW64\secinit.exe
C:\Windows\System32\secinit.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1196

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1364

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\secinit.exe"
3⤵
PID:472

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/472-75-0x0000000000000000-mapping.dmp

Download
memory/788-60-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/788-62-0x00000000004F0000-0x000000000050A000-memory.dmp

Filesize
104KB

Download
memory/788-65-0x0000000075551000-0x0000000075553000-memory.dmp

Filesize
8KB

Download
memory/1196-69-0x0000000010410000-0x000000001043D000-memory.dmp

Filesize
180KB

Download
memory/1196-68-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1196-67-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1196-70-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/1196-66-0x0000000000000000-mapping.dmp

Download
memory/1264-71-0x0000000004D80000-0x0000000004F24000-memory.dmp

Filesize
1.6MB

Download
memory/1364-72-0x0000000000000000-mapping.dmp

Download
memory/1364-73-0x0000000000D00000-0x0000000000D06000-memory.dmp

Filesize
24KB

Download
memory/1364-74-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1364-76-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1364-77-0x0000000000570000-0x0000000000603000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads