formbook | f8e8f64bb17ffb2fea18b7671602a76a8b5734607c7a7ae035dce8eed8381a74

General

Target

INv02938727.exe
Size

702KB
MD5

a3b74acf9723e53d6caea736faae9708
SHA1

2714e0ec97d81921312f0db6470dc40f55d16b96
SHA256

f8e8f64bb17ffb2fea18b7671602a76a8b5734607c7a7ae035dce8eed8381a74
SHA512

e468c5146e35f8aae5536c7ce6c490b68588af0f71fd5d85d0b1dfe9b1831be55a2d9b8787035fc95e288f41c7ab7c4cf73965d6707bbfbe4685655ffbe4fa6b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3940-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3940-126-0x000000000041EBD0-mapping.dmp	formbook
behavioral2/memory/3364-134-0x0000000000490000-0x00000000004BE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

INv02938727.exeINv02938727.execmstp.exe

description	pid	process	target process
PID 784 set thread context of 3940	784	INv02938727.exe	INv02938727.exe
PID 3940 set thread context of 3052	3940	INv02938727.exe	Explorer.EXE
PID 3364 set thread context of 3052	3364	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

INv02938727.exeINv02938727.execmstp.exe

pid	process
784	INv02938727.exe
784	INv02938727.exe
3940	INv02938727.exe
3940	INv02938727.exe
3940	INv02938727.exe
3940	INv02938727.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe
3364	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

INv02938727.execmstp.exe

pid process

3940 INv02938727.exe
3940 INv02938727.exe
3940 INv02938727.exe
3364 cmstp.exe
3364 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

INv02938727.exeINv02938727.execmstp.exe

description pid process

Token: SeDebugPrivilege 784 INv02938727.exe
Token: SeDebugPrivilege 3940 INv02938727.exe
Token: SeDebugPrivilege 3364 cmstp.exe

pid	process
3940	INv02938727.exe
3940	INv02938727.exe
3940	INv02938727.exe
3364	cmstp.exe
3364	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	784	INv02938727.exe
Token: SeDebugPrivilege	3940	INv02938727.exe
Token: SeDebugPrivilege	3364	cmstp.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

INv02938727.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 784 wrote to memory of 1200	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 1200	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 1200	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 3940	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 3940	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 3940	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 3940	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 3940	784	INv02938727.exe	INv02938727.exe
PID 784 wrote to memory of 3940	784	INv02938727.exe	INv02938727.exe
PID 3052 wrote to memory of 3364	3052	Explorer.EXE	cmstp.exe
PID 3052 wrote to memory of 3364	3052	Explorer.EXE	cmstp.exe
PID 3052 wrote to memory of 3364	3052	Explorer.EXE	cmstp.exe
PID 3364 wrote to memory of 3852	3364	cmstp.exe	cmd.exe
PID 3364 wrote to memory of 3852	3364	cmstp.exe	cmd.exe
PID 3364 wrote to memory of 3852	3364	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\INv02938727.exe
"C:\Users\Admin\AppData\Local\Temp\INv02938727.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\INv02938727.exe
"C:\Users\Admin\AppData\Local\Temp\INv02938727.exe"
3⤵
PID:1200

C:\Users\Admin\AppData\Local\Temp\INv02938727.exe
"C:\Users\Admin\AppData\Local\Temp\INv02938727.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3940

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3364

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INv02938727.exe"
3⤵
PID:3852

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-116-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/784-117-0x0000000005440000-0x0000000005441000-memory.dmp

Filesize
4KB

Download
memory/784-118-0x0000000004FE0000-0x0000000004FE1000-memory.dmp

Filesize
4KB

Download
memory/784-119-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/784-120-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/784-121-0x0000000004F40000-0x000000000543E000-memory.dmp

Filesize
5.0MB

Download
memory/784-122-0x0000000005400000-0x000000000540E000-memory.dmp

Filesize
56KB

Download
memory/784-123-0x0000000000E20000-0x0000000000EA7000-memory.dmp

Filesize
540KB

Download
memory/784-124-0x0000000000B70000-0x0000000000BAF000-memory.dmp

Filesize
252KB

Download
memory/784-114-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/3052-130-0x0000000003120000-0x00000000031F8000-memory.dmp

Filesize
864KB

Download
memory/3052-137-0x0000000006520000-0x00000000065CC000-memory.dmp

Filesize
688KB

Download
memory/3364-131-0x0000000000000000-mapping.dmp

Download
memory/3364-133-0x0000000000E90000-0x0000000000EA6000-memory.dmp

Filesize
88KB

Download
memory/3364-134-0x0000000000490000-0x00000000004BE000-memory.dmp

Filesize
184KB

Download
memory/3364-135-0x0000000004450000-0x0000000004770000-memory.dmp

Filesize
3.1MB

Download
memory/3364-136-0x0000000004350000-0x00000000043E3000-memory.dmp

Filesize
588KB

Download
memory/3852-132-0x0000000000000000-mapping.dmp

Download
memory/3940-128-0x00000000015E0000-0x0000000001900000-memory.dmp

Filesize
3.1MB

Download
memory/3940-129-0x0000000001580000-0x0000000001594000-memory.dmp

Filesize
80KB

Download
memory/3940-126-0x000000000041EBD0-mapping.dmp

Download
memory/3940-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads