formbook | 7515beb02e1280d143b4716f8919e34fadfc7c806e5a354dc3dcd1dd3318882c

General

Target

PL_106104.exe
Size

503KB
MD5

77f1784fa00332d5623aba88277eb8c1
SHA1

248f8ad49c0d3ef5ddbfaa5a8721aa4dc08acdf5
SHA256

7515beb02e1280d143b4716f8919e34fadfc7c806e5a354dc3dcd1dd3318882c
SHA512

28e6d83ed4f71557ad2d6a8c026d4ce57082cc95517aae0f7243aafc3edd5f1db70778a290b62f433fb4a5d31d3d8c9c8f119d45f9e01b8a0d6343e7a3e077c7

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.cornerstonerecruitmentasia.com/nke/

Decoy

igroomed.com

teksoles.com

day7.today

workseap.com

arvinlapid.com

tigerk2.com

serenablackcreatives.com

ladyyougotballs.com

sahnakz.com

farmandranchexchange.com

sentinam.info

slapnmacs.com

healthygut365.com

maximepilorge.com

ishratsvalley.com

peridotalchemy.com

solevux.com

xn--vkc6b6baa6ac1jbwc6l.com

dailyruminant.com

loocalcryptos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1680-65-0x000000000041EB70-mapping.dmp	formbook
behavioral1/memory/1680-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/1720-73-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

404 cmd.exe

pid	process
404	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PL_106104.exePL_106104.execontrol.exe

description	pid	process	target process
PID 1096 set thread context of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1680 set thread context of 1248	1680	PL_106104.exe	Explorer.EXE
PID 1720 set thread context of 1248	1720	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

PL_106104.exePL_106104.execontrol.exe

pid	process
1096	PL_106104.exe
1096	PL_106104.exe
1680	PL_106104.exe
1680	PL_106104.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe
1720	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PL_106104.execontrol.exe

pid process

1680 PL_106104.exe
1680 PL_106104.exe
1680 PL_106104.exe
1720 control.exe
1720 control.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PL_106104.exePL_106104.execontrol.exe

description pid process

Token: SeDebugPrivilege 1096 PL_106104.exe
Token: SeDebugPrivilege 1680 PL_106104.exe
Token: SeDebugPrivilege 1720 control.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE
1248 Explorer.EXE

pid	process
1680	PL_106104.exe
1680	PL_106104.exe
1680	PL_106104.exe
1720	control.exe
1720	control.exe

description	pid	process
Token: SeDebugPrivilege	1096	PL_106104.exe
Token: SeDebugPrivilege	1680	PL_106104.exe
Token: SeDebugPrivilege	1720	control.exe

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

pid	process
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE
1248	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PL_106104.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1096 wrote to memory of 1680	1096	PL_106104.exe	PL_106104.exe
PID 1248 wrote to memory of 1720	1248	Explorer.EXE	control.exe
PID 1248 wrote to memory of 1720	1248	Explorer.EXE	control.exe
PID 1248 wrote to memory of 1720	1248	Explorer.EXE	control.exe
PID 1248 wrote to memory of 1720	1248	Explorer.EXE	control.exe
PID 1720 wrote to memory of 404	1720	control.exe	cmd.exe
PID 1720 wrote to memory of 404	1720	control.exe	cmd.exe
PID 1720 wrote to memory of 404	1720	control.exe	cmd.exe
PID 1720 wrote to memory of 404	1720	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1248
- C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
  "C:\Users\Admin\AppData\Local\Temp\PL_106104.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
    C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1680
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PL_106104.exe"
    3⤵
    - Deletes itself
    PID:404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-74-0x0000000000000000-mapping.dmp

Download
memory/1096-61-0x00000000011D0000-0x00000000011D1000-memory.dmp

Filesize
4KB

Download
memory/1096-62-0x0000000005800000-0x000000000588A000-memory.dmp

Filesize
552KB

Download
memory/1096-63-0x0000000000B80000-0x0000000000BB7000-memory.dmp

Filesize
220KB

Download
memory/1096-59-0x0000000001220000-0x0000000001221000-memory.dmp

Filesize
4KB

Download
memory/1248-69-0x0000000006C70000-0x0000000006DF3000-memory.dmp

Filesize
1.5MB

Download
memory/1248-77-0x0000000005FF0000-0x00000000060D3000-memory.dmp

Filesize
908KB

Download
memory/1680-65-0x000000000041EB70-mapping.dmp

Download
memory/1680-68-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1680-67-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download
memory/1680-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1720-70-0x0000000000000000-mapping.dmp

Download
memory/1720-71-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1720-72-0x0000000000960000-0x000000000097F000-memory.dmp

Filesize
124KB

Download
memory/1720-73-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/1720-75-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/1720-76-0x0000000001D80000-0x0000000001E13000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads