formbook | bb6c08035fd7dc06d3ace7952af7bd640c45c548e087dba1deaa45f1861b0077

General

Target

HENTEC12834.exe
Size

530KB
MD5

5ede73c34f56df7353c2516b0b544d3d
SHA1

3245d570c89fb1e5e4ff7f216aa6cb12099726e2
SHA256

bb6c08035fd7dc06d3ace7952af7bd640c45c548e087dba1deaa45f1861b0077
SHA512

5adf0752e70c5a04eabf3a5eb8d0694836e510421cf87057410bb95e4085fb6cb775793b27fc97a32ba7ff06276bfacd23e7090c42a62b45cef220e005f0d07e

Score

10^/10

formbook s2wt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s2wt

C2

http://www.neumanesseriran.com/s2wt/

Decoy

yukiyamaapperal.com

rumasultan.store

japaese.com

quangphatloi.com

148atk.xyz

myheatstore.online

theedeneconomy.com

5xssc1.icu

krakensistem.xyz

gwangyo.com

lj-safe-keepingkokoka6.xyz

naturetheaterofoklahoma.com

perayaanwisudaitb.com

hrbsxxf.com

allencountypallet.com

vizit-app.com

startstartnow.com

inviertechile.com

haysneedlepotracks.com

cfdbestbroker.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1808-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1808-125-0x000000000041F1B0-mapping.dmp	formbook
behavioral2/memory/1868-133-0x0000000000A20000-0x0000000000A4F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

HENTEC12834.exeHENTEC12834.exeexplorer.exe

description	pid	process	target process
PID 1500 set thread context of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 1808 set thread context of 3008	1808	HENTEC12834.exe	Explorer.EXE
PID 1868 set thread context of 3008	1868	explorer.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

HENTEC12834.exeexplorer.exe

pid	process
1808	HENTEC12834.exe
1808	HENTEC12834.exe
1808	HENTEC12834.exe
1808	HENTEC12834.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe
1868	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

HENTEC12834.exeexplorer.exe

pid process

1808 HENTEC12834.exe
1808 HENTEC12834.exe
1808 HENTEC12834.exe
1868 explorer.exe
1868 explorer.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

HENTEC12834.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 1808 HENTEC12834.exe
Token: SeDebugPrivilege 1868 explorer.exe

pid	process
3008	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1808	HENTEC12834.exe
Token: SeDebugPrivilege	1868	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

HENTEC12834.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1500 wrote to memory of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 1500 wrote to memory of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 1500 wrote to memory of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 1500 wrote to memory of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 1500 wrote to memory of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 1500 wrote to memory of 1808	1500	HENTEC12834.exe	HENTEC12834.exe
PID 3008 wrote to memory of 1868	3008	Explorer.EXE	explorer.exe
PID 3008 wrote to memory of 1868	3008	Explorer.EXE	explorer.exe
PID 3008 wrote to memory of 1868	3008	Explorer.EXE	explorer.exe
PID 1868 wrote to memory of 696	1868	explorer.exe	cmd.exe
PID 1868 wrote to memory of 696	1868	explorer.exe	cmd.exe
PID 1868 wrote to memory of 696	1868	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\HENTEC12834.exe
"C:\Users\Admin\AppData\Local\Temp\HENTEC12834.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\HENTEC12834.exe
"C:\Users\Admin\AppData\Local\Temp\HENTEC12834.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1808

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1868

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\HENTEC12834.exe"
3⤵
PID:696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/696-131-0x0000000000000000-mapping.dmp

Download
memory/1500-115-0x00000000000B0000-0x00000000000B1000-memory.dmp

Filesize
4KB

Download
memory/1500-117-0x0000000004E30000-0x0000000004E31000-memory.dmp

Filesize
4KB

Download
memory/1500-118-0x00000000049D0000-0x00000000049D1000-memory.dmp

Filesize
4KB

Download
memory/1500-119-0x0000000004930000-0x0000000004E2E000-memory.dmp

Filesize
5.0MB

Download
memory/1500-120-0x0000000004970000-0x0000000004971000-memory.dmp

Filesize
4KB

Download
memory/1500-121-0x00000000049A0000-0x00000000049A7000-memory.dmp

Filesize
28KB

Download
memory/1500-122-0x0000000005710000-0x0000000005711000-memory.dmp

Filesize
4KB

Download
memory/1500-123-0x00000000056C0000-0x0000000005710000-memory.dmp

Filesize
320KB

Download
memory/1808-128-0x0000000000D10000-0x0000000000D25000-memory.dmp

Filesize
84KB

Download
memory/1808-125-0x000000000041F1B0-mapping.dmp

Download
memory/1808-127-0x0000000001170000-0x0000000001490000-memory.dmp

Filesize
3.1MB

Download
memory/1808-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1868-130-0x0000000000000000-mapping.dmp

Download
memory/1868-133-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1868-132-0x0000000001090000-0x00000000014CF000-memory.dmp

Filesize
4.2MB

Download
memory/1868-134-0x0000000004EE0000-0x0000000005200000-memory.dmp

Filesize
3.1MB

Download
memory/1868-135-0x0000000004D40000-0x0000000004DD4000-memory.dmp

Filesize
592KB

Download
memory/3008-129-0x0000000005AE0000-0x0000000005BF5000-memory.dmp

Filesize
1.1MB

Download
memory/3008-136-0x0000000005C00000-0x0000000005D14000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads