formbook | 9e393967e94c1f667955493b1b23f0b74c732a46c4eaa04d6e13a51c33a17ab9

General

Target

Purchase Order-10764.exe
Size

778KB
MD5

e215c8ce14ee4aaef36fff8d642d65f2
SHA1

51ac31f69e5b45e738ed6d38539c228693ac4ce7
SHA256

9e393967e94c1f667955493b1b23f0b74c732a46c4eaa04d6e13a51c33a17ab9
SHA512

12eb4ab62431fe882651d178ef8288f9f934a30af602177eebd54f2f94f2d3cfacf03488fc7ac9975f7c65e58ee9f502c347f84b9372e05ce68c71d91c0f4090

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3360-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3360-126-0x000000000041EBA0-mapping.dmp	formbook
behavioral2/memory/2140-134-0x0000000000860000-0x000000000088E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order-10764.exePurchase Order-10764.exewscript.exe

description	pid	process	target process
PID 1908 set thread context of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 3360 set thread context of 2460	3360	Purchase Order-10764.exe	Explorer.EXE
PID 2140 set thread context of 2460	2140	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Purchase Order-10764.exePurchase Order-10764.exewscript.exe

pid	process
1908	Purchase Order-10764.exe
1908	Purchase Order-10764.exe
3360	Purchase Order-10764.exe
3360	Purchase Order-10764.exe
3360	Purchase Order-10764.exe
3360	Purchase Order-10764.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe
2140	wscript.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Purchase Order-10764.exewscript.exe

pid process

3360 Purchase Order-10764.exe
3360 Purchase Order-10764.exe
3360 Purchase Order-10764.exe
2140 wscript.exe
2140 wscript.exe

pid	process
3360	Purchase Order-10764.exe
3360	Purchase Order-10764.exe
3360	Purchase Order-10764.exe
2140	wscript.exe
2140	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Purchase Order-10764.exePurchase Order-10764.exewscript.exe

description	pid	process
Token: SeDebugPrivilege	1908	Purchase Order-10764.exe
Token: SeDebugPrivilege	3360	Purchase Order-10764.exe
Token: SeDebugPrivilege	2140	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Purchase Order-10764.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 1908 wrote to memory of 3984	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3984	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3984	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 1908 wrote to memory of 3360	1908	Purchase Order-10764.exe	Purchase Order-10764.exe
PID 2460 wrote to memory of 2140	2460	Explorer.EXE	wscript.exe
PID 2460 wrote to memory of 2140	2460	Explorer.EXE	wscript.exe
PID 2460 wrote to memory of 2140	2460	Explorer.EXE	wscript.exe
PID 2140 wrote to memory of 2852	2140	wscript.exe	cmd.exe
PID 2140 wrote to memory of 2852	2140	wscript.exe	cmd.exe
PID 2140 wrote to memory of 2852	2140	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1908
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe"
    3⤵
    PID:3984
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:8
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:1860
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2120
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2140
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order-10764.exe"
    3⤵
    PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-114-0x0000000000D90000-0x0000000000D91000-memory.dmp

Filesize
4KB

Download
memory/1908-116-0x0000000005660000-0x0000000005661000-memory.dmp

Filesize
4KB

Download
memory/1908-117-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/1908-118-0x0000000005840000-0x0000000005841000-memory.dmp

Filesize
4KB

Download
memory/1908-119-0x0000000005700000-0x0000000005701000-memory.dmp

Filesize
4KB

Download
memory/1908-120-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/1908-121-0x0000000005C80000-0x0000000005C84000-memory.dmp

Filesize
16KB

Download
memory/1908-122-0x00000000057A0000-0x0000000005C9E000-memory.dmp

Filesize
5.0MB

Download
memory/1908-123-0x0000000001220000-0x00000000012A0000-memory.dmp

Filesize
512KB

Download
memory/1908-124-0x000000000A540000-0x000000000A579000-memory.dmp

Filesize
228KB

Download
memory/2140-131-0x0000000000000000-mapping.dmp

Download
memory/2140-133-0x0000000000980000-0x00000000009A7000-memory.dmp

Filesize
156KB

Download
memory/2140-134-0x0000000000860000-0x000000000088E000-memory.dmp

Filesize
184KB

Download
memory/2140-135-0x0000000004BC0000-0x0000000004EE0000-memory.dmp

Filesize
3.1MB

Download
memory/2140-136-0x00000000049F0000-0x0000000004A83000-memory.dmp

Filesize
588KB

Download
memory/2460-130-0x0000000005F50000-0x00000000060C4000-memory.dmp

Filesize
1.5MB

Download
memory/2460-137-0x0000000000760000-0x00000000008AA000-memory.dmp

Filesize
1.3MB

Download
memory/2852-132-0x0000000000000000-mapping.dmp

Download
memory/3360-126-0x000000000041EBA0-mapping.dmp

Download
memory/3360-129-0x0000000001540000-0x0000000001554000-memory.dmp

Filesize
80KB

Download
memory/3360-128-0x0000000001220000-0x0000000001540000-memory.dmp

Filesize
3.1MB

Download
memory/3360-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads