formbook | 9404982e0cf941d6103e40246a6689d91be00c03c8d9072e42ebf56bd9080492

General

Target

AWB##29721.PDF.exe
Size

461KB
MD5

6244f4e218cef1f89dbe0a96374d5eaa
SHA1

d6d8c3c4a7e9f777b9c4383120b057be18a4ad41
SHA256

9404982e0cf941d6103e40246a6689d91be00c03c8d9072e42ebf56bd9080492
SHA512

bf8c0c36444aedf8033b636121fd18e2c6ec417ccd56ca528bd3b71c3b71dc5c330c6018c30822c5e33e5d833a863e1a219f9881dd98caf53ba78616ec1a4736

Score

10^/10

formbook gr1c rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gr1c

C2

http://www.illusiontrick.com/gr1c/

Decoy

soakyourgrains.com

duwego.com

aenkdesign.com

bikabbziu.xyz

thesawyerlegacy.com

koreanmodelbj.xyz

exceed-standards.com

syirsve.com

sachisushimontreal.com

thegalwaykitchen.com

accarwash-hub.com

connectwithmentor.com

luftfundament.online

ibrahimkaracan.com

biggersinsurance.com

desellon.com

tvnewscloset.com

digital-dre.com

ingocg.com

fernanda-ortiz.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/644-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/644-60-0x000000000041F0B0-mapping.dmp	formbook
behavioral1/memory/644-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1928-70-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1376 cmd.exe

pid	process
1376	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

AWB##29721.PDF.exeAWB##29721.PDF.exewininit.exe

description	pid	process	target process
PID 1652 set thread context of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 644 set thread context of 1268	644	AWB##29721.PDF.exe	Explorer.EXE
PID 644 set thread context of 1268	644	AWB##29721.PDF.exe	Explorer.EXE
PID 1928 set thread context of 1268	1928	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 34 IoCs

Processes:

AWB##29721.PDF.exeAWB##29721.PDF.exewininit.exe

pid	process
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
1652	AWB##29721.PDF.exe
644	AWB##29721.PDF.exe
644	AWB##29721.PDF.exe
644	AWB##29721.PDF.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe
1928	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

AWB##29721.PDF.exewininit.exe

pid process

644 AWB##29721.PDF.exe
644 AWB##29721.PDF.exe
644 AWB##29721.PDF.exe
644 AWB##29721.PDF.exe
1928 wininit.exe
1928 wininit.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AWB##29721.PDF.exeAWB##29721.PDF.exewininit.exe

description pid process

Token: SeDebugPrivilege 1652 AWB##29721.PDF.exe
Token: SeDebugPrivilege 644 AWB##29721.PDF.exe
Token: SeDebugPrivilege 1928 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
644	AWB##29721.PDF.exe
644	AWB##29721.PDF.exe
644	AWB##29721.PDF.exe
644	AWB##29721.PDF.exe
1928	wininit.exe
1928	wininit.exe

description	pid	process
Token: SeDebugPrivilege	1652	AWB##29721.PDF.exe
Token: SeDebugPrivilege	644	AWB##29721.PDF.exe
Token: SeDebugPrivilege	1928	wininit.exe

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

AWB##29721.PDF.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 1652 wrote to memory of 840	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 840	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 840	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 840	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 600	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 600	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 600	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 600	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1652 wrote to memory of 644	1652	AWB##29721.PDF.exe	AWB##29721.PDF.exe
PID 1268 wrote to memory of 1928	1268	Explorer.EXE	wininit.exe
PID 1268 wrote to memory of 1928	1268	Explorer.EXE	wininit.exe
PID 1268 wrote to memory of 1928	1268	Explorer.EXE	wininit.exe
PID 1268 wrote to memory of 1928	1268	Explorer.EXE	wininit.exe
PID 1928 wrote to memory of 1376	1928	wininit.exe	cmd.exe
PID 1928 wrote to memory of 1376	1928	wininit.exe	cmd.exe
PID 1928 wrote to memory of 1376	1928	wininit.exe	cmd.exe
PID 1928 wrote to memory of 1376	1928	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe"
3⤵
PID:840

C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe"
3⤵
PID:600

C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe
"C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\AWB##29721.PDF.exe"
3⤵
- Deletes itself
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-66-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/644-62-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/644-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-60-0x000000000041F0B0-mapping.dmp

Download
memory/644-63-0x0000000000260000-0x0000000000274000-memory.dmp

Filesize
80KB

Download
memory/1268-74-0x0000000007C90000-0x0000000007E06000-memory.dmp

Filesize
1.5MB

Download
memory/1268-64-0x00000000041C0000-0x00000000042BD000-memory.dmp

Filesize
1012KB

Download
memory/1268-67-0x0000000006470000-0x00000000065CA000-memory.dmp

Filesize
1.4MB

Download
memory/1376-72-0x0000000000000000-mapping.dmp

Download
memory/1652-55-0x0000000074A41000-0x0000000074A43000-memory.dmp

Filesize
8KB

Download
memory/1652-54-0x0000000002010000-0x0000000002011000-memory.dmp

Filesize
4KB

Download
memory/1652-56-0x0000000002011000-0x0000000002012000-memory.dmp

Filesize
4KB

Download
memory/1928-68-0x0000000000000000-mapping.dmp

Download
memory/1928-69-0x00000000004A0000-0x00000000004BA000-memory.dmp

Filesize
104KB

Download
memory/1928-70-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1928-71-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1928-73-0x00000000004C0000-0x0000000000553000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads