formbook | 69394a249833f97289151fa8334f32e0b0467ce4ecb164b0706784fb836136a6

General

Target

PI L032452021xxls.exe
Size

706KB
MD5

73c7fda15888b3b6cc025ce3d5f83161
SHA1

78b8467853dc5bdba4dd28a8602902fcc210f67c
SHA256

69394a249833f97289151fa8334f32e0b0467ce4ecb164b0706784fb836136a6
SHA512

dbb943a00e2c24dc0926f36b81409d28789a10d20b8e4043b2545eff1daa74448bc324ada5376e582757ce3db916042747b7939648d8ed102fe2be305ffe872a

Score

10^/10

formbook ergs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ergs

C2

http://www.barry-associates.com/ergs/

Decoy

jardineriavilanova.com

highkeyfashionboutique.com

willingtobuyyourhouse.com

ysfno.com

bjkhjzzs.com

hexmotif.com

intentionalerror.com

nuu-foundfreedom.com

catalystspeechservices.com

blackmybail.com

xntaobaozhibo.com

site-sozdat.online

45quisisanadr.com

ipawlove.com

yifa5188.com

admm.email

houseoftealbh.com

scale-biz.com

vdvppt.club

loveandlight.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/368-58-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/368-59-0x000000000041EB70-mapping.dmp	formbook
behavioral1/memory/592-66-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1760 cmd.exe

pid	process
1760	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.exenetsh.exe

description	pid	process	target process
PID 1032 set thread context of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 368 set thread context of 1280	368	PI L032452021xxls.exe	Explorer.EXE
PID 592 set thread context of 1280	592	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

PI L032452021xxls.exenetsh.exe

pid	process
368	PI L032452021xxls.exe
368	PI L032452021xxls.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe
592	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PI L032452021xxls.exenetsh.exe

pid process

368 PI L032452021xxls.exe
368 PI L032452021xxls.exe
368 PI L032452021xxls.exe
592 netsh.exe
592 netsh.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PI L032452021xxls.exenetsh.exe

description pid process

Token: SeDebugPrivilege 368 PI L032452021xxls.exe
Token: SeDebugPrivilege 592 netsh.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
1280 Explorer.EXE
1280 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

Explorer.EXE

pid process

1280 Explorer.EXE
1280 Explorer.EXE
1280 Explorer.EXE
1280 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	368	PI L032452021xxls.exe
Token: SeDebugPrivilege	592	netsh.exe

pid	process
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

pid	process
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PI L032452021xxls.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1032 wrote to memory of 368	1032	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 1280 wrote to memory of 592	1280	Explorer.EXE	netsh.exe
PID 1280 wrote to memory of 592	1280	Explorer.EXE	netsh.exe
PID 1280 wrote to memory of 592	1280	Explorer.EXE	netsh.exe
PID 1280 wrote to memory of 592	1280	Explorer.EXE	netsh.exe
PID 592 wrote to memory of 1760	592	netsh.exe	cmd.exe
PID 592 wrote to memory of 1760	592	netsh.exe	cmd.exe
PID 592 wrote to memory of 1760	592	netsh.exe	cmd.exe
PID 592 wrote to memory of 1760	592	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1032

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:368

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:592

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
- Deletes itself
PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/368-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/368-60-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download
memory/368-61-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/368-59-0x000000000041EB70-mapping.dmp

Download
memory/592-65-0x00000000017B0000-0x00000000017CB000-memory.dmp

Filesize
108KB

Download
memory/592-63-0x0000000000000000-mapping.dmp

Download
memory/592-66-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/592-67-0x0000000000D50000-0x0000000001053000-memory.dmp

Filesize
3.0MB

Download
memory/592-68-0x0000000000560000-0x00000000005F3000-memory.dmp

Filesize
588KB

Download
memory/1032-57-0x0000000000A80000-0x0000000000AAF000-memory.dmp

Filesize
188KB

Download
memory/1032-56-0x0000000005AD0000-0x0000000005B34000-memory.dmp

Filesize
400KB

Download
memory/1032-55-0x0000000000580000-0x0000000000587000-memory.dmp

Filesize
28KB

Download
memory/1032-54-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/1032-52-0x0000000000AC0000-0x0000000000AC1000-memory.dmp

Filesize
4KB

Download
memory/1280-62-0x0000000006B60000-0x0000000006CA6000-memory.dmp

Filesize
1.3MB

Download
memory/1280-69-0x00000000049F0000-0x0000000004ABA000-memory.dmp

Filesize
808KB

Download
memory/1760-64-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads