formbook | 76e745479aa92ba3a9d7aa6448aab35758ab2ef7ece2a66d4988bd0cde207771

General

Target

Payment receipt.pdf.exe
Size

707KB
MD5

d4be4730ee0e801938ae40b02b5ec346
SHA1

5a36a50fe19f08f5c34db24127b43bdceb85bb42
SHA256

0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711
SHA512

d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29

Score

10^/10

formbook mo9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

C2

http://www.lievival.info/mo9n/

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4032-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4032-127-0x000000000041F110-mapping.dmp	formbook
behavioral2/memory/1812-134-0x00000000007C0000-0x00000000007EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.execontrol.exe

description	pid	process	target process
PID 3912 set thread context of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 4032 set thread context of 3008	4032	Payment receipt.pdf.exe	Explorer.EXE
PID 1812 set thread context of 3008	1812	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 50 IoCs

Processes:

Payment receipt.pdf.execontrol.exe

pid	process
4032	Payment receipt.pdf.exe
4032	Payment receipt.pdf.exe
4032	Payment receipt.pdf.exe
4032	Payment receipt.pdf.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe
1812	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3008 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment receipt.pdf.execontrol.exe

pid process

4032 Payment receipt.pdf.exe
4032 Payment receipt.pdf.exe
4032 Payment receipt.pdf.exe
1812 control.exe
1812 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Payment receipt.pdf.execontrol.exe

description pid process

Token: SeDebugPrivilege 4032 Payment receipt.pdf.exe
Token: SeDebugPrivilege 1812 control.exe

pid	process
3008	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4032	Payment receipt.pdf.exe
Token: SeDebugPrivilege	1812	control.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Payment receipt.pdf.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 3912 wrote to memory of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3912 wrote to memory of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3912 wrote to memory of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3912 wrote to memory of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3912 wrote to memory of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3912 wrote to memory of 4032	3912	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3008 wrote to memory of 1812	3008	Explorer.EXE	control.exe
PID 3008 wrote to memory of 1812	3008	Explorer.EXE	control.exe
PID 3008 wrote to memory of 1812	3008	Explorer.EXE	control.exe
PID 1812 wrote to memory of 2616	1812	control.exe	cmd.exe
PID 1812 wrote to memory of 2616	1812	control.exe	cmd.exe
PID 1812 wrote to memory of 2616	1812	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3008

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3912

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4032

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1812

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
3⤵
PID:2616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1812-137-0x00000000047C0000-0x0000000004853000-memory.dmp

Filesize
588KB

Download
memory/1812-136-0x0000000004950000-0x0000000004C70000-memory.dmp

Filesize
3.1MB

Download
memory/1812-133-0x0000000000D20000-0x0000000000D40000-memory.dmp

Filesize
128KB

Download
memory/1812-134-0x00000000007C0000-0x00000000007EF000-memory.dmp

Filesize
188KB

Download
memory/1812-132-0x0000000000000000-mapping.dmp

Download
memory/2616-135-0x0000000000000000-mapping.dmp

Download
memory/3008-130-0x0000000006300000-0x000000000642E000-memory.dmp

Filesize
1.2MB

Download
memory/3008-138-0x00000000027E0000-0x00000000028A0000-memory.dmp

Filesize
768KB

Download
memory/3912-121-0x0000000007C20000-0x0000000007C21000-memory.dmp

Filesize
4KB

Download
memory/3912-120-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/3912-117-0x0000000007980000-0x0000000007981000-memory.dmp

Filesize
4KB

Download
memory/3912-118-0x0000000007F20000-0x0000000007F21000-memory.dmp

Filesize
4KB

Download
memory/3912-119-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/3912-124-0x0000000004F00000-0x0000000004F83000-memory.dmp

Filesize
524KB

Download
memory/3912-125-0x0000000007EE0000-0x0000000007F10000-memory.dmp

Filesize
192KB

Download
memory/3912-123-0x0000000007AB0000-0x0000000007ABE000-memory.dmp

Filesize
56KB

Download
memory/3912-122-0x0000000007A20000-0x0000000007F1E000-memory.dmp

Filesize
5.0MB

Download
memory/3912-115-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

Filesize
4KB

Download
memory/4032-131-0x00000000017D0000-0x00000000017E4000-memory.dmp

Filesize
80KB

Download
memory/4032-129-0x0000000001800000-0x0000000001B20000-memory.dmp

Filesize
3.1MB

Download
memory/4032-127-0x000000000041F110-mapping.dmp

Download
memory/4032-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads