formbook | d4fb3556995ee659f550487a7eda98e7b422a0a6a8e4ba7f5777c7973cae312d

General

Target

PLM-QUOT-292MKV AST.exe
Size

525KB
MD5

4d212e509348f56edb404d564a19d6b8
SHA1

59d3542f9e2f3e74078e837e5cba3d46d1414ad8
SHA256

3c74c617119a6ba48fd332b234183150245f1594acf80eb51935783d68d4f783
SHA512

89bf3a8a1232662245c6b4b96f69801027635f38b5de4099eb6c6fbffc944b38bb8e50362b586a10ae1c31b43f0565a62222b6c9bf6a9a8364d6d3c43645e463

Score

10^/10

formbook ergs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ergs

C2

http://www.barry-associates.com/ergs/

Decoy

jardineriavilanova.com

highkeyfashionboutique.com

willingtobuyyourhouse.com

ysfno.com

bjkhjzzs.com

hexmotif.com

intentionalerror.com

nuu-foundfreedom.com

catalystspeechservices.com

blackmybail.com

xntaobaozhibo.com

site-sozdat.online

45quisisanadr.com

ipawlove.com

yifa5188.com

admm.email

houseoftealbh.com

scale-biz.com

vdvppt.club

loveandlight.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4864-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4864-126-0x000000000041EB70-mapping.dmp	formbook
behavioral2/memory/4908-132-0x0000000001080000-0x00000000010AE000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PLM-QUOT-292MKV AST.exePLM-QUOT-292MKV AST.execolorcpl.exe

description	pid	process	target process
PID 4736 set thread context of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 4864 set thread context of 2532	4864	PLM-QUOT-292MKV AST.exe	Explorer.EXE
PID 4908 set thread context of 2532	4908	colorcpl.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2559286294-2439613352-4032193287-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

PLM-QUOT-292MKV AST.execolorcpl.exe

pid	process
4864	PLM-QUOT-292MKV AST.exe
4864	PLM-QUOT-292MKV AST.exe
4864	PLM-QUOT-292MKV AST.exe
4864	PLM-QUOT-292MKV AST.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe
4908	colorcpl.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2532 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PLM-QUOT-292MKV AST.execolorcpl.exe

pid process

4864 PLM-QUOT-292MKV AST.exe
4864 PLM-QUOT-292MKV AST.exe
4864 PLM-QUOT-292MKV AST.exe
4908 colorcpl.exe
4908 colorcpl.exe

pid	process
2532	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

PLM-QUOT-292MKV AST.execolorcpl.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	4864	PLM-QUOT-292MKV AST.exe
Token: SeDebugPrivilege	4908	colorcpl.exe
Token: SeShutdownPrivilege	2532	Explorer.EXE
Token: SeCreatePagefilePrivilege	2532	Explorer.EXE
Token: SeShutdownPrivilege	2532	Explorer.EXE
Token: SeCreatePagefilePrivilege	2532	Explorer.EXE

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

2532 Explorer.EXE
2532 Explorer.EXE
2532 Explorer.EXE
2532 Explorer.EXE

pid	process
2532	Explorer.EXE
2532	Explorer.EXE
2532	Explorer.EXE
2532	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PLM-QUOT-292MKV AST.exeExplorer.EXEcolorcpl.exe

description	pid	process	target process
PID 4736 wrote to memory of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 4736 wrote to memory of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 4736 wrote to memory of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 4736 wrote to memory of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 4736 wrote to memory of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 4736 wrote to memory of 4864	4736	PLM-QUOT-292MKV AST.exe	PLM-QUOT-292MKV AST.exe
PID 2532 wrote to memory of 4908	2532	Explorer.EXE	colorcpl.exe
PID 2532 wrote to memory of 4908	2532	Explorer.EXE	colorcpl.exe
PID 2532 wrote to memory of 4908	2532	Explorer.EXE	colorcpl.exe
PID 4908 wrote to memory of 4936	4908	colorcpl.exe	cmd.exe
PID 4908 wrote to memory of 4936	4908	colorcpl.exe	cmd.exe
PID 4908 wrote to memory of 4936	4908	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2532

C:\Users\Admin\AppData\Local\Temp\PLM-QUOT-292MKV AST.exe
"C:\Users\Admin\AppData\Local\Temp\PLM-QUOT-292MKV AST.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4736

C:\Users\Admin\AppData\Local\Temp\PLM-QUOT-292MKV AST.exe
"C:\Users\Admin\AppData\Local\Temp\PLM-QUOT-292MKV AST.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4864

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4908

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PLM-QUOT-292MKV AST.exe"
3⤵
PID:4936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2532-128-0x0000000005E10000-0x0000000005FA8000-memory.dmp

Filesize
1.6MB

Download
memory/2532-136-0x00000000006E0000-0x00000000007C2000-memory.dmp

Filesize
904KB

Download
memory/4736-117-0x0000000004ED0000-0x0000000004ED1000-memory.dmp

Filesize
4KB

Download
memory/4736-118-0x0000000004A80000-0x0000000004A81000-memory.dmp

Filesize
4KB

Download
memory/4736-119-0x0000000004BE0000-0x0000000004BE1000-memory.dmp

Filesize
4KB

Download
memory/4736-120-0x0000000008030000-0x0000000008031000-memory.dmp

Filesize
4KB

Download
memory/4736-121-0x0000000004DF0000-0x0000000004DF7000-memory.dmp

Filesize
28KB

Download
memory/4736-122-0x00000000049D0000-0x0000000004ECE000-memory.dmp

Filesize
5.0MB

Download
memory/4736-123-0x0000000006870000-0x00000000068D4000-memory.dmp

Filesize
400KB

Download
memory/4736-124-0x0000000006920000-0x000000000694F000-memory.dmp

Filesize
188KB

Download
memory/4736-115-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/4864-126-0x000000000041EB70-mapping.dmp

Download
memory/4864-129-0x0000000000F60000-0x0000000000F74000-memory.dmp

Filesize
80KB

Download
memory/4864-127-0x00000000013F0000-0x0000000001710000-memory.dmp

Filesize
3.1MB

Download
memory/4864-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4908-130-0x0000000000000000-mapping.dmp

Download
memory/4908-131-0x0000000001120000-0x0000000001139000-memory.dmp

Filesize
100KB

Download
memory/4908-132-0x0000000001080000-0x00000000010AE000-memory.dmp

Filesize
184KB

Download
memory/4908-134-0x0000000005120000-0x0000000005440000-memory.dmp

Filesize
3.1MB

Download
memory/4908-135-0x0000000005040000-0x00000000050D3000-memory.dmp

Filesize
588KB

Download
memory/4936-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads