formbook | 49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c

General

Target

PO 800A3E4.exe
Size

962KB
MD5

d13b3ff3dfdab0ced5ea88729756afd6
SHA1

51ceb5fb8e95c355ee3482e3d3f2c5d678203912
SHA256

49609c0487ceeec0771547efd9277b01f494be83549bc0245330672ee962c50c
SHA512

ab1e9cd76c813462678cbce85623ea31d9e8e379cd7d069f0fb6b1231795fa35cf6e2e0a8ec498f7e5a2d6a9682a9b091a46fbedd7ba5d5d0456e7fd6adeb0ee

Score

10^/10

formbook c249 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c249

C2

http://www.sarahnicolenadler.online/c249/

Decoy

yourbocatubs.com

windutshop.com

kevinellis.email

hzjiya.com

theaethereal.com

charmteesgift.com

tarinikalingarayar.com

thefacesiseek.com

tehuentecnewmcc.com

xn--80ajamkdph6ax.xn--p1acf

gmodwonderlandrp.com

sincerelyenaj.com

youtuan001.com

hekimalandsurveyors.com

madhatterathletics.com

09ex.com

yogrammyraps.com

analytico-australis.com

yourhome403.com

downtown-annapolis.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4232-117-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4232-118-0x000000000041F180-mapping.dmp	formbook
behavioral2/memory/4232-123-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4644-129-0x0000000000680000-0x00000000006AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

PO 800A3E4.exePO 800A3E4.execmmon32.exe

description	pid	process	target process
PID 592 set thread context of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 4232 set thread context of 2712	4232	PO 800A3E4.exe	Explorer.EXE
PID 4232 set thread context of 2712	4232	PO 800A3E4.exe	Explorer.EXE
PID 4644 set thread context of 2712	4644	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

PO 800A3E4.execmmon32.exe

pid	process
4232	PO 800A3E4.exe
4232	PO 800A3E4.exe
4232	PO 800A3E4.exe
4232	PO 800A3E4.exe
4232	PO 800A3E4.exe
4232	PO 800A3E4.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe
4644	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2712 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PO 800A3E4.execmmon32.exe

pid process

4232 PO 800A3E4.exe
4232 PO 800A3E4.exe
4232 PO 800A3E4.exe
4232 PO 800A3E4.exe
4644 cmmon32.exe
4644 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO 800A3E4.execmmon32.exe

description pid process

Token: SeDebugPrivilege 4232 PO 800A3E4.exe
Token: SeDebugPrivilege 4644 cmmon32.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

PO 800A3E4.exe

pid process

592 PO 800A3E4.exe

pid	process
2712	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4232	PO 800A3E4.exe
Token: SeDebugPrivilege	4644	cmmon32.exe

pid	process
592	PO 800A3E4.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO 800A3E4.exePO 800A3E4.execmmon32.exe

description	pid	process	target process
PID 592 wrote to memory of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 592 wrote to memory of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 592 wrote to memory of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 592 wrote to memory of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 592 wrote to memory of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 592 wrote to memory of 4232	592	PO 800A3E4.exe	PO 800A3E4.exe
PID 4232 wrote to memory of 4644	4232	PO 800A3E4.exe	cmmon32.exe
PID 4232 wrote to memory of 4644	4232	PO 800A3E4.exe	cmmon32.exe
PID 4232 wrote to memory of 4644	4232	PO 800A3E4.exe	cmmon32.exe
PID 4644 wrote to memory of 2920	4644	cmmon32.exe	cmd.exe
PID 4644 wrote to memory of 2920	4644	cmmon32.exe	cmd.exe
PID 4644 wrote to memory of 2920	4644	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:2712

C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe
"C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:592

C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe
"C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4644

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO 800A3E4.exe"
5⤵
PID:2920

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:4396

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2656

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1648

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4528

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4532

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4520

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4592

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4584

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4572

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4568

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:4512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-115-0x0000000000740000-0x0000000000746000-memory.dmp

Filesize
24KB

Download
memory/592-116-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/2712-132-0x0000000006BE0000-0x0000000006D22000-memory.dmp

Filesize
1.3MB

Download
memory/2712-125-0x00000000026C0000-0x0000000002774000-memory.dmp

Filesize
720KB

Download
memory/2712-122-0x0000000005500000-0x000000000563B000-memory.dmp

Filesize
1.2MB

Download
memory/2920-130-0x0000000000000000-mapping.dmp

Download
memory/4232-124-0x00000000026F0000-0x0000000002704000-memory.dmp

Filesize
80KB

Download
memory/4232-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4232-120-0x00000000009C0000-0x0000000000CE0000-memory.dmp

Filesize
3.1MB

Download
memory/4232-121-0x0000000000CE0000-0x0000000000CF4000-memory.dmp

Filesize
80KB

Download
memory/4232-118-0x000000000041F180-mapping.dmp

Download
memory/4232-117-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4644-126-0x0000000000000000-mapping.dmp

Download
memory/4644-128-0x00000000047C0000-0x0000000004AE0000-memory.dmp

Filesize
3.1MB

Download
memory/4644-129-0x0000000000680000-0x00000000006AF000-memory.dmp

Filesize
188KB

Download
memory/4644-127-0x0000000001070000-0x000000000107C000-memory.dmp

Filesize
48KB

Download
memory/4644-131-0x0000000004520000-0x00000000045B3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads