formbook | 7515beb02e1280d143b4716f8919e34fadfc7c806e5a354dc3dcd1dd3318882c

General

Target

PL_106104.exe
Size

503KB
MD5

77f1784fa00332d5623aba88277eb8c1
SHA1

248f8ad49c0d3ef5ddbfaa5a8721aa4dc08acdf5
SHA256

7515beb02e1280d143b4716f8919e34fadfc7c806e5a354dc3dcd1dd3318882c
SHA512

28e6d83ed4f71557ad2d6a8c026d4ce57082cc95517aae0f7243aafc3edd5f1db70778a290b62f433fb4a5d31d3d8c9c8f119d45f9e01b8a0d6343e7a3e077c7

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.cornerstonerecruitmentasia.com/nke/

Decoy

igroomed.com

teksoles.com

day7.today

workseap.com

arvinlapid.com

tigerk2.com

serenablackcreatives.com

ladyyougotballs.com

sahnakz.com

farmandranchexchange.com

sentinam.info

slapnmacs.com

healthygut365.com

maximepilorge.com

ishratsvalley.com

peridotalchemy.com

solevux.com

xn--vkc6b6baa6ac1jbwc6l.com

dailyruminant.com

loocalcryptos.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3196-123-0x000000000041EB70-mapping.dmp	formbook
behavioral2/memory/3196-122-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2152-131-0x0000000000110000-0x000000000013E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PL_106104.exePL_106104.exeNETSTAT.EXE

description	pid	process	target process
PID 2232 set thread context of 3196	2232	PL_106104.exe	PL_106104.exe
PID 3196 set thread context of 1700	3196	PL_106104.exe	Explorer.EXE
PID 2152 set thread context of 1700	2152	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

2152 NETSTAT.EXE

pid	process
2152	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

PL_106104.exePL_106104.exeNETSTAT.EXE

pid	process
2232	PL_106104.exe
2232	PL_106104.exe
3196	PL_106104.exe
3196	PL_106104.exe
3196	PL_106104.exe
3196	PL_106104.exe
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE
2152	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1700 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PL_106104.exeNETSTAT.EXE

pid process

3196 PL_106104.exe
3196 PL_106104.exe
3196 PL_106104.exe
2152 NETSTAT.EXE
2152 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PL_106104.exePL_106104.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2232 PL_106104.exe
Token: SeDebugPrivilege 3196 PL_106104.exe
Token: SeDebugPrivilege 2152 NETSTAT.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1700 Explorer.EXE

pid	process
1700	Explorer.EXE

pid	process
3196	PL_106104.exe
3196	PL_106104.exe
3196	PL_106104.exe
2152	NETSTAT.EXE
2152	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	2232	PL_106104.exe
Token: SeDebugPrivilege	3196	PL_106104.exe
Token: SeDebugPrivilege	2152	NETSTAT.EXE

pid	process
1700	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PL_106104.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2232 wrote to memory of 3196	2232	PL_106104.exe	PL_106104.exe
PID 2232 wrote to memory of 3196	2232	PL_106104.exe	PL_106104.exe
PID 2232 wrote to memory of 3196	2232	PL_106104.exe	PL_106104.exe
PID 2232 wrote to memory of 3196	2232	PL_106104.exe	PL_106104.exe
PID 2232 wrote to memory of 3196	2232	PL_106104.exe	PL_106104.exe
PID 2232 wrote to memory of 3196	2232	PL_106104.exe	PL_106104.exe
PID 1700 wrote to memory of 2152	1700	Explorer.EXE	NETSTAT.EXE
PID 1700 wrote to memory of 2152	1700	Explorer.EXE	NETSTAT.EXE
PID 1700 wrote to memory of 2152	1700	Explorer.EXE	NETSTAT.EXE
PID 2152 wrote to memory of 376	2152	NETSTAT.EXE	cmd.exe
PID 2152 wrote to memory of 376	2152	NETSTAT.EXE	cmd.exe
PID 2152 wrote to memory of 376	2152	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1700
- C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
  "C:\Users\Admin\AppData\Local\Temp\PL_106104.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
    C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3196
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:2080
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\PL_106104.exe"
    3⤵
    PID:376

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/376-129-0x0000000000000000-mapping.dmp

Download
memory/1700-127-0x0000000006430000-0x0000000006588000-memory.dmp

Filesize
1.3MB

Download
memory/1700-134-0x0000000005410000-0x0000000005513000-memory.dmp

Filesize
1.0MB

Download
memory/2152-133-0x0000000000880000-0x0000000000913000-memory.dmp

Filesize
588KB

Download
memory/2152-132-0x0000000000B60000-0x0000000000E80000-memory.dmp

Filesize
3.1MB

Download
memory/2152-130-0x00000000012B0000-0x00000000012BB000-memory.dmp

Filesize
44KB

Download
memory/2152-131-0x0000000000110000-0x000000000013E000-memory.dmp

Filesize
184KB

Download
memory/2152-128-0x0000000000000000-mapping.dmp

Download
memory/2232-119-0x0000000002DD0000-0x0000000002DD1000-memory.dmp

Filesize
4KB

Download
memory/2232-121-0x0000000007040000-0x0000000007077000-memory.dmp

Filesize
220KB

Download
memory/2232-120-0x0000000006FA0000-0x000000000702A000-memory.dmp

Filesize
552KB

Download
memory/2232-114-0x0000000000B40000-0x0000000000B41000-memory.dmp

Filesize
4KB

Download
memory/2232-118-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2232-117-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/2232-116-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/3196-125-0x0000000001760000-0x0000000001A80000-memory.dmp

Filesize
3.1MB

Download
memory/3196-126-0x00000000011D0000-0x000000000131A000-memory.dmp

Filesize
1.3MB

Download
memory/3196-122-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3196-123-0x000000000041EB70-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads