formbook | 9598f7ebeef58e063e6e5de7da5ea2775991628d11c4fae3e3e2854fa22065eb

General

Target

bobb4567.exe
Size

245KB
MD5

90825728992d0ef937e2523370e34b31
SHA1

7b9a3d06e10d3ccb32a8be5a98ec253bbc0bdebf
SHA256

9598f7ebeef58e063e6e5de7da5ea2775991628d11c4fae3e3e2854fa22065eb
SHA512

dc180827a8ba8f24dbf20f38091e1bee6c96776399733bf6519e567c0072ae5907abeaeea5873630a4a9057ec34370bbee47042c7b7e5d4e143ac6cac105f370

Score

10^/10

formbook rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bulverderoofing.com/lt0h/

Decoy

originalindigofurniture.co.uk

fl6588.com

acecademy.com

yaerofinerindalnalising.com

mendilovic.online

rishenght.com

famlees.com

myhomeofficemarket.com

bouquetarabia.com

chrisbani.com

freebandslegally.com

hernandezinsurancegroup.net

slicedandfresh.com

apnathikanas.com

chadhatesyou.com

ansilsas.com

in3development.com

nitiren.net

peespn.com

valengz.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1464-116-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2700-125-0x00000000008A0000-0x00000000008CE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

bobb4567.exebobb4567.exemsiexec.exe

description	pid	process	target process
PID 512 set thread context of 1464	512	bobb4567.exe	bobb4567.exe
PID 1464 set thread context of 388	1464	bobb4567.exe	Explorer.EXE
PID 2700 set thread context of 388	2700	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

bobb4567.exemsiexec.exe

pid	process
1464	bobb4567.exe
1464	bobb4567.exe
1464	bobb4567.exe
1464	bobb4567.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe
2700	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

388 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bobb4567.exebobb4567.exemsiexec.exe

pid process

512 bobb4567.exe
1464 bobb4567.exe
1464 bobb4567.exe
1464 bobb4567.exe
2700 msiexec.exe
2700 msiexec.exe

pid	process
388	Explorer.EXE

pid	process
512	bobb4567.exe
1464	bobb4567.exe
1464	bobb4567.exe
1464	bobb4567.exe
2700	msiexec.exe
2700	msiexec.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

bobb4567.exeExplorer.EXEmsiexec.exe

description	pid	process
Token: SeDebugPrivilege	1464	bobb4567.exe
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE
Token: SeShutdownPrivilege	388	Explorer.EXE
Token: SeCreatePagefilePrivilege	388	Explorer.EXE
Token: SeDebugPrivilege	2700	msiexec.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

388 Explorer.EXE

pid	process
388	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

bobb4567.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 512 wrote to memory of 1464	512	bobb4567.exe	bobb4567.exe
PID 512 wrote to memory of 1464	512	bobb4567.exe	bobb4567.exe
PID 512 wrote to memory of 1464	512	bobb4567.exe	bobb4567.exe
PID 512 wrote to memory of 1464	512	bobb4567.exe	bobb4567.exe
PID 388 wrote to memory of 2700	388	Explorer.EXE	msiexec.exe
PID 388 wrote to memory of 2700	388	Explorer.EXE	msiexec.exe
PID 388 wrote to memory of 2700	388	Explorer.EXE	msiexec.exe
PID 2700 wrote to memory of 1476	2700	msiexec.exe	cmd.exe
PID 2700 wrote to memory of 1476	2700	msiexec.exe	cmd.exe
PID 2700 wrote to memory of 1476	2700	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:388

C:\Users\Admin\AppData\Local\Temp\bobb4567.exe
"C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:512

C:\Users\Admin\AppData\Local\Temp\bobb4567.exe
"C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1464

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2700

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\bobb4567.exe"
3⤵
PID:1476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-128-0x00000000058B0000-0x00000000059AC000-memory.dmp

Filesize
1008KB

Download
memory/388-119-0x0000000005C50000-0x0000000005D67000-memory.dmp

Filesize
1.1MB

Download
memory/512-115-0x00000000003D0000-0x00000000003D2000-memory.dmp

Filesize
8KB

Download
memory/1464-116-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1464-117-0x0000000001710000-0x0000000001A30000-memory.dmp

Filesize
3.1MB

Download
memory/1464-118-0x0000000001670000-0x0000000001684000-memory.dmp

Filesize
80KB

Download
memory/1464-114-0x000000000041EB60-mapping.dmp

Download
memory/1476-123-0x0000000000000000-mapping.dmp

Download
memory/2700-120-0x0000000000000000-mapping.dmp

Download
memory/2700-126-0x00000000047C0000-0x0000000004AE0000-memory.dmp

Filesize
3.1MB

Download
memory/2700-124-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download
memory/2700-125-0x00000000008A0000-0x00000000008CE000-memory.dmp

Filesize
184KB

Download
memory/2700-127-0x0000000004550000-0x00000000045E3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads