formbook | 69394a249833f97289151fa8334f32e0b0467ce4ecb164b0706784fb836136a6

General

Target

PI L032452021xxls.exe
Size

706KB
MD5

73c7fda15888b3b6cc025ce3d5f83161
SHA1

78b8467853dc5bdba4dd28a8602902fcc210f67c
SHA256

69394a249833f97289151fa8334f32e0b0467ce4ecb164b0706784fb836136a6
SHA512

dbb943a00e2c24dc0926f36b81409d28789a10d20b8e4043b2545eff1daa74448bc324ada5376e582757ce3db916042747b7939648d8ed102fe2be305ffe872a

Score

10^/10

formbook ergs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ergs

C2

http://www.barry-associates.com/ergs/

Decoy

jardineriavilanova.com

highkeyfashionboutique.com

willingtobuyyourhouse.com

ysfno.com

bjkhjzzs.com

hexmotif.com

intentionalerror.com

nuu-foundfreedom.com

catalystspeechservices.com

blackmybail.com

xntaobaozhibo.com

site-sozdat.online

45quisisanadr.com

ipawlove.com

yifa5188.com

admm.email

houseoftealbh.com

scale-biz.com

vdvppt.club

loveandlight.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4044-124-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4044-125-0x000000000041EB70-mapping.dmp	formbook
behavioral2/memory/2952-132-0x0000000000F10000-0x0000000000F3E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.execmstp.exe

description	pid	process	target process
PID 740 set thread context of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 4044 set thread context of 2536	4044	PI L032452021xxls.exe	Explorer.EXE
PID 2952 set thread context of 2536	2952	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.execmstp.exe

pid	process
740	PI L032452021xxls.exe
740	PI L032452021xxls.exe
4044	PI L032452021xxls.exe
4044	PI L032452021xxls.exe
4044	PI L032452021xxls.exe
4044	PI L032452021xxls.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe
2952	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2536 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PI L032452021xxls.execmstp.exe

pid process

4044 PI L032452021xxls.exe
4044 PI L032452021xxls.exe
4044 PI L032452021xxls.exe
2952 cmstp.exe
2952 cmstp.exe

pid	process
2536	Explorer.EXE

pid	process
4044	PI L032452021xxls.exe
4044	PI L032452021xxls.exe
4044	PI L032452021xxls.exe
2952	cmstp.exe
2952	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PI L032452021xxls.exePI L032452021xxls.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	740	PI L032452021xxls.exe
Token: SeDebugPrivilege	4044	PI L032452021xxls.exe
Token: SeDebugPrivilege	2952	cmstp.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

2536 Explorer.EXE

pid	process
2536	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PI L032452021xxls.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 740 wrote to memory of 968	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 968	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 968	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 740 wrote to memory of 4044	740	PI L032452021xxls.exe	PI L032452021xxls.exe
PID 2536 wrote to memory of 2952	2536	Explorer.EXE	cmstp.exe
PID 2536 wrote to memory of 2952	2536	Explorer.EXE	cmstp.exe
PID 2536 wrote to memory of 2952	2536	Explorer.EXE	cmstp.exe
PID 2952 wrote to memory of 2580	2952	cmstp.exe	cmd.exe
PID 2952 wrote to memory of 2580	2952	cmstp.exe	cmd.exe
PID 2952 wrote to memory of 2580	2952	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2536

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:740

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe
"C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4044

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI L032452021xxls.exe"
3⤵
PID:2580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/740-116-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/740-117-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/740-118-0x00000000051D0000-0x00000000051D1000-memory.dmp

Filesize
4KB

Download
memory/740-119-0x00000000055B0000-0x00000000055B7000-memory.dmp

Filesize
28KB

Download
memory/740-120-0x00000000087D0000-0x00000000087D1000-memory.dmp

Filesize
4KB

Download
memory/740-121-0x0000000005140000-0x00000000051D2000-memory.dmp

Filesize
584KB

Download
memory/740-122-0x0000000008970000-0x00000000089D4000-memory.dmp

Filesize
400KB

Download
memory/740-123-0x000000000B120000-0x000000000B14F000-memory.dmp

Filesize
188KB

Download
memory/740-114-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/2536-128-0x0000000005570000-0x000000000567E000-memory.dmp

Filesize
1.1MB

Download
memory/2536-135-0x0000000005680000-0x00000000057B9000-memory.dmp

Filesize
1.2MB

Download
memory/2580-133-0x0000000000000000-mapping.dmp

Download
memory/2952-130-0x0000000001140000-0x0000000001156000-memory.dmp

Filesize
88KB

Download
memory/2952-129-0x0000000000000000-mapping.dmp

Download
memory/2952-131-0x0000000005180000-0x00000000054A0000-memory.dmp

Filesize
3.1MB

Download
memory/2952-132-0x0000000000F10000-0x0000000000F3E000-memory.dmp

Filesize
184KB

Download
memory/2952-134-0x0000000004FB0000-0x0000000005043000-memory.dmp

Filesize
588KB

Download
memory/4044-126-0x00000000018D0000-0x0000000001BF0000-memory.dmp

Filesize
3.1MB

Download
memory/4044-127-0x0000000001820000-0x0000000001834000-memory.dmp

Filesize
80KB

Download
memory/4044-125-0x000000000041EB70-mapping.dmp

Download
memory/4044-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads