formbook | 83fed765d229173fedc6811b521cebdfcec3342713679a57d49188ba554c00fb

General

Target

Order 202139769574,.exe
Size

845KB
MD5

d72f1abe7c521c844071a8265b92545b
SHA1

0c59a02103a9a7fb663a37809563a48a8adb097e
SHA256

83fed765d229173fedc6811b521cebdfcec3342713679a57d49188ba554c00fb
SHA512

c1cc91e626d3600a5e7c03c61e051f29dc1f3a3dc10550b0587e2540e7c8ca2ff4cdea5b5fed79dc0c167d9ae2182178d5ea97ec424dd21486f56b28859382e8

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3088-124-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3088-125-0x000000000041EBA0-mapping.dmp	formbook
behavioral2/memory/3984-134-0x0000000003240000-0x000000000326E000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Order 202139769574,.exeOrder 202139769574,.exemstsc.exe

description	pid	process	target process
PID 784 set thread context of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 3088 set thread context of 3052	3088	Order 202139769574,.exe	Explorer.EXE
PID 3088 set thread context of 3052	3088	Order 202139769574,.exe	Explorer.EXE
PID 3984 set thread context of 3052	3984	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

Order 202139769574,.exeOrder 202139769574,.exemstsc.exe

pid	process
784	Order 202139769574,.exe
784	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe
3984	mstsc.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Order 202139769574,.exemstsc.exe

pid process

3088 Order 202139769574,.exe
3088 Order 202139769574,.exe
3088 Order 202139769574,.exe
3088 Order 202139769574,.exe
3984 mstsc.exe
3984 mstsc.exe

pid	process
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3088	Order 202139769574,.exe
3984	mstsc.exe
3984	mstsc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Order 202139769574,.exeOrder 202139769574,.exemstsc.exe

description	pid	process
Token: SeDebugPrivilege	784	Order 202139769574,.exe
Token: SeDebugPrivilege	3088	Order 202139769574,.exe
Token: SeDebugPrivilege	3984	mstsc.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Order 202139769574,.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 784 wrote to memory of 2616	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 2616	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 2616	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 784 wrote to memory of 3088	784	Order 202139769574,.exe	Order 202139769574,.exe
PID 3052 wrote to memory of 3984	3052	Explorer.EXE	mstsc.exe
PID 3052 wrote to memory of 3984	3052	Explorer.EXE	mstsc.exe
PID 3052 wrote to memory of 3984	3052	Explorer.EXE	mstsc.exe
PID 3984 wrote to memory of 2080	3984	mstsc.exe	cmd.exe
PID 3984 wrote to memory of 2080	3984	mstsc.exe	cmd.exe
PID 3984 wrote to memory of 2080	3984	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe
"C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe
"C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe"
3⤵
PID:2616

C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe
"C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3088

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Order 202139769574,.exe"
3⤵
PID:2080

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-121-0x0000000005010000-0x0000000005014000-memory.dmp

Filesize
16KB

Download
memory/784-116-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/784-117-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download
memory/784-118-0x0000000004EB0000-0x0000000004EB1000-memory.dmp

Filesize
4KB

Download
memory/784-119-0x0000000004E10000-0x000000000530E000-memory.dmp

Filesize
5.0MB

Download
memory/784-120-0x0000000004F70000-0x0000000004F71000-memory.dmp

Filesize
4KB

Download
memory/784-122-0x0000000000DD0000-0x0000000000E4E000-memory.dmp

Filesize
504KB

Download
memory/784-123-0x00000000080C0000-0x00000000080F8000-memory.dmp

Filesize
224KB

Download
memory/784-114-0x0000000000460000-0x0000000000461000-memory.dmp

Filesize
4KB

Download
memory/2080-136-0x0000000000000000-mapping.dmp

Download
memory/3052-131-0x0000000003120000-0x000000000320B000-memory.dmp

Filesize
940KB

Download
memory/3052-138-0x0000000006520000-0x00000000065F5000-memory.dmp

Filesize
852KB

Download
memory/3052-129-0x0000000006A90000-0x0000000006C1C000-memory.dmp

Filesize
1.5MB

Download
memory/3088-125-0x000000000041EBA0-mapping.dmp

Download
memory/3088-128-0x0000000001080000-0x0000000001094000-memory.dmp

Filesize
80KB

Download
memory/3088-130-0x00000000014D0000-0x00000000014E4000-memory.dmp

Filesize
80KB

Download
memory/3088-127-0x00000000014F0000-0x0000000001810000-memory.dmp

Filesize
3.1MB

Download
memory/3088-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3984-132-0x0000000000000000-mapping.dmp

Download
memory/3984-133-0x0000000000170000-0x000000000046C000-memory.dmp

Filesize
3.0MB

Download
memory/3984-134-0x0000000003240000-0x000000000326E000-memory.dmp

Filesize
184KB

Download
memory/3984-135-0x00000000047F0000-0x0000000004B10000-memory.dmp

Filesize
3.1MB

Download
memory/3984-137-0x0000000004BB0000-0x0000000004C43000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads