formbook | 25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf

General

Target

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Size

460KB
MD5

4bc84a1a436c849698fd54c0f921c2a1
SHA1

c7c7cb7b33da65ffc53ff9351b56802cb1561560
SHA256

25e5055023abbb8c18992618b6f04c94b8b13ff8bd33d4a4f8462d92902461bf
SHA512

c86ec6b9fef554818af6aacdc7df24bb7ad1813390f6e708c7b9cd385a274286419c3f738d55ef411a1be82cbf462e483525ef20e27a4b6b24ceb4fc99001f19

Score

10^/10

formbook cnp0 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cnp0

C2

http://www.ccnsv.net/cnp0/

Decoy

jiarenyuanhunlian.com

xquizitelashesnwaxx.com

rentinerie.com

herbalpedia-id.com

openseagames.com

re-swap.com

william-cook.com

segensv.com

versebay.com

brendanlairdsound.com

bypestor.com

hospitaldelpc.net

wwwroadrunnerfinancial.com

waterhammerstudios.com

hustleandbank.photography

secure01bchslogin.com

rarepeperanking.com

greatland.company

happybirthdayjewel.com

raheok.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3212-125-0x000000000041F0D0-mapping.dmp	formbook
behavioral2/memory/3212-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2216-132-0x0000000000BC0000-0x0000000000BEF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exeINQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exe

description	pid	process	target process
PID 2680 set thread context of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 3212 set thread context of 3064	3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	Explorer.EXE
PID 2216 set thread context of 3064	2216	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exe

pid	process
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe
2216	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3064 Explorer.EXE

pid	process
3064	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exe

pid	process
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
2216	msdt.exe
2216	msdt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exemsdt.exe

description pid process

Token: SeDebugPrivilege 3212 INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Token: SeDebugPrivilege 2216 msdt.exe

description	pid	process
Token: SeDebugPrivilege	3212	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
Token: SeDebugPrivilege	2216	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 2680 wrote to memory of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 2680 wrote to memory of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 2680 wrote to memory of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 2680 wrote to memory of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 2680 wrote to memory of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 2680 wrote to memory of 3212	2680	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe	INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
PID 3064 wrote to memory of 2216	3064	Explorer.EXE	msdt.exe
PID 3064 wrote to memory of 2216	3064	Explorer.EXE	msdt.exe
PID 3064 wrote to memory of 2216	3064	Explorer.EXE	msdt.exe
PID 2216 wrote to memory of 1112	2216	msdt.exe	cmd.exe
PID 2216 wrote to memory of 1112	2216	msdt.exe	cmd.exe
PID 2216 wrote to memory of 1112	2216	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2680

C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe
"C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\INQUIRY DOCUMENTS & DATA COMPANY INFORMATION.exe"
3⤵
PID:1112

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1112-133-0x0000000000000000-mapping.dmp

Download
memory/2216-130-0x0000000000000000-mapping.dmp

Download
memory/2216-135-0x0000000001050000-0x00000000010E3000-memory.dmp

Filesize
588KB

Download
memory/2216-134-0x0000000004830000-0x0000000004B50000-memory.dmp

Filesize
3.1MB

Download
memory/2216-131-0x00000000012B0000-0x0000000001423000-memory.dmp

Filesize
1.4MB

Download
memory/2216-132-0x0000000000BC0000-0x0000000000BEF000-memory.dmp

Filesize
188KB

Download
memory/2680-121-0x00000000058F0000-0x00000000058F7000-memory.dmp

Filesize
28KB

Download
memory/2680-119-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/2680-117-0x0000000005E10000-0x0000000005E11000-memory.dmp

Filesize
4KB

Download
memory/2680-118-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/2680-123-0x00000000065B0000-0x0000000006600000-memory.dmp

Filesize
320KB

Download
memory/2680-120-0x0000000005730000-0x00000000057C2000-memory.dmp

Filesize
584KB

Download
memory/2680-115-0x0000000000EF0000-0x0000000000EF1000-memory.dmp

Filesize
4KB

Download
memory/2680-122-0x0000000006510000-0x0000000006511000-memory.dmp

Filesize
4KB

Download
memory/3064-129-0x00000000027C0000-0x000000000287B000-memory.dmp

Filesize
748KB

Download
memory/3064-136-0x0000000004E10000-0x0000000004F97000-memory.dmp

Filesize
1.5MB

Download
memory/3212-127-0x0000000001800000-0x0000000001B20000-memory.dmp

Filesize
3.1MB

Download
memory/3212-128-0x0000000001260000-0x00000000013AA000-memory.dmp

Filesize
1.3MB

Download
memory/3212-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3212-125-0x000000000041F0D0-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads