formbook | 24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e

General

Target

mal.pif.exe
Size

591KB
MD5

b9bca038d7532ec8a1a9ba0e867061bc
SHA1

6596ac1216bf03d88482415755c499ed6388cab4
SHA256

24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
SHA512

861bfb748cd3060698d23e04e0b58d2e2eb12dedfbfdeeece6a5643bdeab9472bbe3f73d144e95fd78e8ee862ae3fde9385b11b2f35b0ea0c974326d70846e6d

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.trendtechpros.com/sm3l/

Decoy

svp-india.com

feistyflowerfarmers.com

artprogressive.com

thedavidweaver.com

currentputative.life

bluedot3dwdbuy.com

xxxmeetme.com

signify2.com

converseshoes-canada.com

schemabuilder.net

crmcti.com

mctrh.com

ringroadpartners.com

stresslesspilates.com

directorytexas.xyz

sarahcarver.com

diigveda.com

lifeliveslive.com

inprize2020.club

sellerbantuan-bukalapak.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/392-66-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/392-67-0x000000000041EB40-mapping.dmp	formbook
behavioral1/memory/544-73-0x0000000000090000-0x00000000000BE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

956 cmd.exe

pid	process
956	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

mal.pif.exemal.pif.exewuapp.exe

description	pid	process	target process
PID 1072 set thread context of 392	1072	mal.pif.exe	mal.pif.exe
PID 392 set thread context of 1200	392	mal.pif.exe	Explorer.EXE
PID 544 set thread context of 1200	544	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

mal.pif.exemal.pif.exewuapp.exe

pid	process
1072	mal.pif.exe
1072	mal.pif.exe
1072	mal.pif.exe
1072	mal.pif.exe
1072	mal.pif.exe
1072	mal.pif.exe
1072	mal.pif.exe
1072	mal.pif.exe
392	mal.pif.exe
392	mal.pif.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe
544	wuapp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mal.pif.exewuapp.exe

pid process

392 mal.pif.exe
392 mal.pif.exe
392 mal.pif.exe
544 wuapp.exe
544 wuapp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

mal.pif.exemal.pif.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1072 mal.pif.exe
Token: SeDebugPrivilege 392 mal.pif.exe
Token: SeDebugPrivilege 544 wuapp.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE
1200 Explorer.EXE

pid	process
392	mal.pif.exe
392	mal.pif.exe
392	mal.pif.exe
544	wuapp.exe
544	wuapp.exe

description	pid	process
Token: SeDebugPrivilege	1072	mal.pif.exe
Token: SeDebugPrivilege	392	mal.pif.exe
Token: SeDebugPrivilege	544	wuapp.exe

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

pid	process
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 34 IoCs

Processes:

mal.pif.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1072 wrote to memory of 640	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 640	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 640	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 640	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1332	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1332	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1332	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1332	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1228	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1228	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1228	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 1228	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 364	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 364	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 364	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 364	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1072 wrote to memory of 392	1072	mal.pif.exe	mal.pif.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 1200 wrote to memory of 544	1200	Explorer.EXE	wuapp.exe
PID 544 wrote to memory of 956	544	wuapp.exe	cmd.exe
PID 544 wrote to memory of 956	544	wuapp.exe	cmd.exe
PID 544 wrote to memory of 956	544	wuapp.exe	cmd.exe
PID 544 wrote to memory of 956	544	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1200

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1072

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
PID:640

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
PID:1332

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
PID:1228

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
PID:364

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:392

C:\Windows\SysWOW64\wuapp.exe
"C:\Windows\SysWOW64\wuapp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:544

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
- Deletes itself
PID:956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/392-68-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/392-69-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/392-67-0x000000000041EB40-mapping.dmp

Download
memory/544-73-0x0000000000090000-0x00000000000BE000-memory.dmp

Filesize
184KB

Download
memory/544-71-0x0000000000000000-mapping.dmp

Download
memory/544-72-0x0000000001370000-0x000000000137B000-memory.dmp

Filesize
44KB

Download
memory/544-74-0x0000000000B70000-0x0000000000E73000-memory.dmp

Filesize
3.0MB

Download
memory/544-76-0x00000000009E0000-0x0000000000A73000-memory.dmp

Filesize
588KB

Download
memory/956-75-0x0000000000000000-mapping.dmp

Download
memory/1072-65-0x0000000001FB0000-0x0000000001FE2000-memory.dmp

Filesize
200KB

Download
memory/1072-64-0x0000000005E80000-0x0000000005EF6000-memory.dmp

Filesize
472KB

Download
memory/1072-63-0x0000000000450000-0x0000000000461000-memory.dmp

Filesize
68KB

Download
memory/1072-62-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/1072-60-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1200-70-0x00000000073C0000-0x000000000755C000-memory.dmp

Filesize
1.6MB

Download
memory/1200-77-0x0000000007F30000-0x000000000809C000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads