formbook | 49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c

General

Target

PO 800A3E4.exe
Size

962KB
MD5

d13b3ff3dfdab0ced5ea88729756afd6
SHA1

51ceb5fb8e95c355ee3482e3d3f2c5d678203912
SHA256

49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c
SHA512

ab1e9cd76c813462678cbce85623ea31d9e8e379cd7d069f0fb6b1231795fa35cf6e2e0a8ec498f7e5a2d6a9682a9b091a46fbedd7ba5d5d0456e7fd6adeb0ee

Score

10^/10

formbook c249 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c249

C2

http://www.sarahnicolenadler.online/c249/

Decoy

yourbocatubs.com

windutshop.com

kevinellis.email

hzjiya.com

theaethereal.com

charmteesgift.com

tarinikalingarayar.com

thefacesiseek.com

tehuentecnewmcc.com

xn--80ajamkdph6ax.xn--p1acf

gmodwonderlandrp.com

sincerelyenaj.com

youtuan001.com

hekimalandsurveyors.com

madhatterathletics.com

09ex.com

yogrammyraps.com

analytico-australis.com

yourhome403.com

downtown-annapolis.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/688-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/688-60-0x000000000041F180-mapping.dmp	formbook
behavioral1/memory/1460-68-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

968 cmd.exe

pid	process
968	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO 800A3E4.exePO 800A3E4.execmmon32.exe

description	pid	process	target process
PID 520 set thread context of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 688 set thread context of 1252	688	PO 800A3E4.exe	Explorer.EXE
PID 1460 set thread context of 1252	1460	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

PO 800A3E4.execmmon32.exe

pid	process
688	PO 800A3E4.exe
688	PO 800A3E4.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe
1460	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO 800A3E4.execmmon32.exe

pid process

688 PO 800A3E4.exe
688 PO 800A3E4.exe
688 PO 800A3E4.exe
1460 cmmon32.exe
1460 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO 800A3E4.execmmon32.exe

description pid process

Token: SeDebugPrivilege 688 PO 800A3E4.exe
Token: SeDebugPrivilege 1460 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO 800A3E4.exe

pid process

520 PO 800A3E4.exe

pid	process
1252	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	688	PO 800A3E4.exe
Token: SeDebugPrivilege	1460	cmmon32.exe

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
520	PO 800A3E4.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

PO 800A3E4.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 520 wrote to memory of 688	520	PO 800A3E4.exe	PO 800A3E4.exe
PID 1252 wrote to memory of 1460	1252	Explorer.EXE	cmmon32.exe
PID 1252 wrote to memory of 1460	1252	Explorer.EXE	cmmon32.exe
PID 1252 wrote to memory of 1460	1252	Explorer.EXE	cmmon32.exe
PID 1252 wrote to memory of 1460	1252	Explorer.EXE	cmmon32.exe
PID 1460 wrote to memory of 968	1460	cmmon32.exe	cmd.exe
PID 1460 wrote to memory of 968	1460	cmmon32.exe	cmd.exe
PID 1460 wrote to memory of 968	1460	cmmon32.exe	cmd.exe
PID 1460 wrote to memory of 968	1460	cmmon32.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe
"C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:520

C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe
"C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:688

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1460

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe"
3⤵
- Deletes itself
PID:968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-56-0x00000000001B0000-0x00000000001BA000-memory.dmp

Filesize
40KB

Download
memory/520-55-0x00000000001B0000-0x00000000001B6000-memory.dmp

Filesize
24KB

Download
memory/688-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/688-60-0x000000000041F180-mapping.dmp

Download
memory/688-62-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/688-63-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/968-66-0x0000000000000000-mapping.dmp

Download
memory/1252-64-0x00000000072B0000-0x000000000741D000-memory.dmp

Filesize
1.4MB

Download
memory/1252-71-0x00000000060B0000-0x0000000006158000-memory.dmp

Filesize
672KB

Download
memory/1460-65-0x0000000000000000-mapping.dmp

Download
memory/1460-67-0x0000000000F30000-0x0000000000F3D000-memory.dmp

Filesize
52KB

Download
memory/1460-68-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1460-69-0x0000000000AB0000-0x0000000000DB3000-memory.dmp

Filesize
3.0MB

Download
memory/1460-70-0x00000000009C0000-0x0000000000A53000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads