formbook | 24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e

General

Target

mal.pif.exe
Size

591KB
MD5

b9bca038d7532ec8a1a9ba0e867061bc
SHA1

6596ac1216bf03d88482415755c499ed6388cab4
SHA256

24d91f6c3dcad36d65e45821d520aaabc2f4a87bb1ab512d6807377010d5680e
SHA512

861bfb748cd3060698d23e04e0b58d2e2eb12dedfbfdeeece6a5643bdeab9472bbe3f73d144e95fd78e8ee862ae3fde9385b11b2f35b0ea0c974326d70846e6d

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.trendtechpros.com/sm3l/

Decoy

svp-india.com

feistyflowerfarmers.com

artprogressive.com

thedavidweaver.com

currentputative.life

bluedot3dwdbuy.com

xxxmeetme.com

signify2.com

converseshoes-canada.com

schemabuilder.net

crmcti.com

mctrh.com

ringroadpartners.com

stresslesspilates.com

directorytexas.xyz

sarahcarver.com

diigveda.com

lifeliveslive.com

inprize2020.club

sellerbantuan-bukalapak.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2736-124-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2736-125-0x000000000041EB40-mapping.dmp	formbook
behavioral2/memory/3632-132-0x0000000003280000-0x00000000032AE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

mal.pif.exemal.pif.exeNETSTAT.EXE

description	pid	process	target process
PID 636 set thread context of 2736	636	mal.pif.exe	mal.pif.exe
PID 2736 set thread context of 3052	2736	mal.pif.exe	Explorer.EXE
PID 3632 set thread context of 3052	3632	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

3632 NETSTAT.EXE

pid	process
3632	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

mal.pif.exeNETSTAT.EXE

pid	process
2736	mal.pif.exe
2736	mal.pif.exe
2736	mal.pif.exe
2736	mal.pif.exe
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE
3632	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3052 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

mal.pif.exeNETSTAT.EXE

pid process

2736 mal.pif.exe
2736 mal.pif.exe
2736 mal.pif.exe
3632 NETSTAT.EXE
3632 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

mal.pif.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2736 mal.pif.exe
Token: SeDebugPrivilege 3632 NETSTAT.EXE

pid	process
3052	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2736	mal.pif.exe
Token: SeDebugPrivilege	3632	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

mal.pif.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 636 wrote to memory of 2736	636	mal.pif.exe	mal.pif.exe
PID 636 wrote to memory of 2736	636	mal.pif.exe	mal.pif.exe
PID 636 wrote to memory of 2736	636	mal.pif.exe	mal.pif.exe
PID 636 wrote to memory of 2736	636	mal.pif.exe	mal.pif.exe
PID 636 wrote to memory of 2736	636	mal.pif.exe	mal.pif.exe
PID 636 wrote to memory of 2736	636	mal.pif.exe	mal.pif.exe
PID 3052 wrote to memory of 3632	3052	Explorer.EXE	NETSTAT.EXE
PID 3052 wrote to memory of 3632	3052	Explorer.EXE	NETSTAT.EXE
PID 3052 wrote to memory of 3632	3052	Explorer.EXE	NETSTAT.EXE
PID 3632 wrote to memory of 1920	3632	NETSTAT.EXE	cmd.exe
PID 3632 wrote to memory of 1920	3632	NETSTAT.EXE	cmd.exe
PID 3632 wrote to memory of 1920	3632	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3052

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:636

C:\Users\Admin\AppData\Local\Temp\mal.pif.exe
"C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:3992

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\mal.pif.exe"
3⤵
PID:1920

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-114-0x0000000000A00000-0x0000000000A01000-memory.dmp

Filesize
4KB

Download
memory/636-116-0x0000000007C10000-0x0000000007C11000-memory.dmp

Filesize
4KB

Download
memory/636-117-0x00000000077F0000-0x00000000077F1000-memory.dmp

Filesize
4KB

Download
memory/636-118-0x0000000007890000-0x0000000007891000-memory.dmp

Filesize
4KB

Download
memory/636-119-0x0000000007710000-0x0000000007C0E000-memory.dmp

Filesize
5.0MB

Download
memory/636-120-0x00000000077A0000-0x00000000077A1000-memory.dmp

Filesize
4KB

Download
memory/636-121-0x0000000002BB0000-0x0000000002BC1000-memory.dmp

Filesize
68KB

Download
memory/636-122-0x0000000007490000-0x0000000007506000-memory.dmp

Filesize
472KB

Download
memory/636-123-0x0000000007530000-0x0000000007562000-memory.dmp

Filesize
200KB

Download
memory/1920-130-0x0000000000000000-mapping.dmp

Download
memory/2736-125-0x000000000041EB40-mapping.dmp

Download
memory/2736-127-0x0000000001D10000-0x0000000001D24000-memory.dmp

Filesize
80KB

Download
memory/2736-126-0x0000000001910000-0x0000000001C30000-memory.dmp

Filesize
3.1MB

Download
memory/2736-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3052-128-0x0000000002550000-0x0000000002609000-memory.dmp

Filesize
740KB

Download
memory/3052-135-0x00000000060F0000-0x00000000061D4000-memory.dmp

Filesize
912KB

Download
memory/3632-129-0x0000000000000000-mapping.dmp

Download
memory/3632-131-0x0000000000B30000-0x0000000000B3B000-memory.dmp

Filesize
44KB

Download
memory/3632-132-0x0000000003280000-0x00000000032AE000-memory.dmp

Filesize
184KB

Download
memory/3632-133-0x00000000032B0000-0x00000000033FA000-memory.dmp

Filesize
1.3MB

Download
memory/3632-134-0x0000000003770000-0x0000000003803000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads