formbook | 76e745479aa92ba3a9d7aa6448aab35758ab2ef7ece2a66d4988bd0cde207771

General

Target

Payment receipt.pdf.exe
Size

707KB
MD5

d4be4730ee0e801938ae40b02b5ec346
SHA1

5a36a50fe19f08f5c34db24127b43bdceb85bb42
SHA256

0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711
SHA512

d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29

Score

10^/10

formbook mo9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

C2

http://www.lievival.info/mo9n/

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1460-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1460-63-0x000000000041F110-mapping.dmp	formbook
behavioral1/memory/424-72-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1964 cmd.exe

pid	process
1964	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.exemstsc.exe

description	pid	process	target process
PID 1616 set thread context of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1460 set thread context of 1364	1460	Payment receipt.pdf.exe	Explorer.EXE
PID 424 set thread context of 1364	424	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

Payment receipt.pdf.exemstsc.exe

pid	process
1460	Payment receipt.pdf.exe
1460	Payment receipt.pdf.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe
424	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment receipt.pdf.exemstsc.exe

pid process

1460 Payment receipt.pdf.exe
1460 Payment receipt.pdf.exe
1460 Payment receipt.pdf.exe
424 mstsc.exe
424 mstsc.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment receipt.pdf.exemstsc.exe

description pid process

Token: SeDebugPrivilege 1460 Payment receipt.pdf.exe
Token: SeDebugPrivilege 424 mstsc.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1364 Explorer.EXE
1364 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1460	Payment receipt.pdf.exe
Token: SeDebugPrivilege	424	mstsc.exe

pid	process
1364	Explorer.EXE
1364	Explorer.EXE

pid	process
1364	Explorer.EXE
1364	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Payment receipt.pdf.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1616 wrote to memory of 1460	1616	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1364 wrote to memory of 424	1364	Explorer.EXE	mstsc.exe
PID 1364 wrote to memory of 424	1364	Explorer.EXE	mstsc.exe
PID 1364 wrote to memory of 424	1364	Explorer.EXE	mstsc.exe
PID 1364 wrote to memory of 424	1364	Explorer.EXE	mstsc.exe
PID 424 wrote to memory of 1964	424	mstsc.exe	cmd.exe
PID 424 wrote to memory of 1964	424	mstsc.exe	cmd.exe
PID 424 wrote to memory of 1964	424	mstsc.exe	cmd.exe
PID 424 wrote to memory of 1964	424	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1364

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1460

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:424

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
3⤵
- Deletes itself
PID:1964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/424-74-0x0000000000B10000-0x0000000000BA3000-memory.dmp

Filesize
588KB

Download
memory/424-71-0x0000000000F80000-0x0000000001084000-memory.dmp

Filesize
1.0MB

Download
memory/424-73-0x0000000000C30000-0x0000000000F33000-memory.dmp

Filesize
3.0MB

Download
memory/424-72-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/424-69-0x0000000076B61000-0x0000000076B63000-memory.dmp

Filesize
8KB

Download
memory/424-68-0x0000000000000000-mapping.dmp

Download
memory/1364-67-0x0000000003FB0000-0x00000000040AC000-memory.dmp

Filesize
1008KB

Download
memory/1364-75-0x0000000006FE0000-0x0000000007125000-memory.dmp

Filesize
1.3MB

Download
memory/1460-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-65-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/1460-66-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1460-63-0x000000000041F110-mapping.dmp

Download
memory/1460-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1460-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-54-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/1616-59-0x0000000001FB0000-0x0000000001FE0000-memory.dmp

Filesize
192KB

Download
memory/1616-58-0x0000000001E80000-0x0000000001F03000-memory.dmp

Filesize
524KB

Download
memory/1616-57-0x0000000007270000-0x0000000007271000-memory.dmp

Filesize
4KB

Download
memory/1616-56-0x00000000002A0000-0x00000000002AE000-memory.dmp

Filesize
56KB

Download
memory/1964-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads