formbook | fe8141ad1869a8ac34a4c258ce4c62d09ede71e1ea9f819c22e954aee473df4d

General

Target

Payment receipt.pdf.exe
Size

821KB
MD5

b23c8de2a3a56e2fb8bacb085dbd9d19
SHA1

5957dbee0b2b200110787aac267be09bcecbeda2
SHA256

027eae741aaf031d2edcdc08920457e4c2e641c33847d67705d791f124b7781e
SHA512

a696b8e4cdbca841f2ecae342d8aa61c9ac9adc0849e69c715f3f3ce7b5195711bf4a22ad8c2add5bf1962d6a6cb18b751abbe73711699bce59199bd09ad2a63

Score

10^/10

formbook mo9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

C2

http://www.lievival.info/mo9n/

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2556-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2556-127-0x000000000041F110-mapping.dmp	formbook
behavioral2/memory/3808-134-0x0000000000620000-0x000000000064F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.execmd.exe

description	pid	process	target process
PID 2056 set thread context of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2556 set thread context of 3024	2556	Payment receipt.pdf.exe	Explorer.EXE
PID 3808 set thread context of 3024	3808	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 51 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.execmd.exe

pid	process
2056	Payment receipt.pdf.exe
2056	Payment receipt.pdf.exe
2056	Payment receipt.pdf.exe
2556	Payment receipt.pdf.exe
2556	Payment receipt.pdf.exe
2556	Payment receipt.pdf.exe
2556	Payment receipt.pdf.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe
3808	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment receipt.pdf.execmd.exe

pid process

2556 Payment receipt.pdf.exe
2556 Payment receipt.pdf.exe
2556 Payment receipt.pdf.exe
3808 cmd.exe
3808 cmd.exe

pid	process
3024	Explorer.EXE

pid	process
2556	Payment receipt.pdf.exe
2556	Payment receipt.pdf.exe
2556	Payment receipt.pdf.exe
3808	cmd.exe
3808	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.execmd.exe

description	pid	process
Token: SeDebugPrivilege	2056	Payment receipt.pdf.exe
Token: SeDebugPrivilege	2556	Payment receipt.pdf.exe
Token: SeDebugPrivilege	3808	cmd.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Payment receipt.pdf.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2056 wrote to memory of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2056 wrote to memory of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2056 wrote to memory of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2056 wrote to memory of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2056 wrote to memory of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2056 wrote to memory of 2556	2056	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3024 wrote to memory of 3808	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3808	3024	Explorer.EXE	cmd.exe
PID 3024 wrote to memory of 3808	3024	Explorer.EXE	cmd.exe
PID 3808 wrote to memory of 3264	3808	cmd.exe	cmd.exe
PID 3808 wrote to memory of 3264	3808	cmd.exe	cmd.exe
PID 3808 wrote to memory of 3264	3808	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2056

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3808

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
3⤵
PID:3264

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2056-115-0x0000000000600000-0x0000000000601000-memory.dmp

Filesize
4KB

Download
memory/2056-117-0x0000000005300000-0x0000000005301000-memory.dmp

Filesize
4KB

Download
memory/2056-118-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download
memory/2056-119-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2056-120-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2056-121-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2056-122-0x0000000005560000-0x0000000005561000-memory.dmp

Filesize
4KB

Download
memory/2056-123-0x0000000005790000-0x000000000579E000-memory.dmp

Filesize
56KB

Download
memory/2056-124-0x0000000008D40000-0x0000000008DC2000-memory.dmp

Filesize
520KB

Download
memory/2056-125-0x000000000B590000-0x000000000B5C0000-memory.dmp

Filesize
192KB

Download
memory/2556-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2556-127-0x000000000041F110-mapping.dmp

Download
memory/2556-130-0x0000000001380000-0x0000000001394000-memory.dmp

Filesize
80KB

Download
memory/2556-129-0x00000000013F0000-0x0000000001710000-memory.dmp

Filesize
3.1MB

Download
memory/3024-131-0x0000000002B30000-0x0000000002BF6000-memory.dmp

Filesize
792KB

Download
memory/3024-138-0x0000000005180000-0x0000000005269000-memory.dmp

Filesize
932KB

Download
memory/3264-136-0x0000000000000000-mapping.dmp

Download
memory/3808-132-0x0000000000000000-mapping.dmp

Download
memory/3808-134-0x0000000000620000-0x000000000064F000-memory.dmp

Filesize
188KB

Download
memory/3808-133-0x0000000000830000-0x0000000000889000-memory.dmp

Filesize
356KB

Download
memory/3808-135-0x0000000002E80000-0x00000000031A0000-memory.dmp

Filesize
3.1MB

Download
memory/3808-137-0x00000000031A0000-0x0000000003233000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads