formbook | 6243afcc3184f4bf3f969dd7fed686e57e574d17417ec71351bc71d5adba673d

General

Target

Payment receipt.pdf.exe
Size

707KB
MD5

d4be4730ee0e801938ae40b02b5ec346
SHA1

5a36a50fe19f08f5c34db24127b43bdceb85bb42
SHA256

0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711
SHA512

d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29

Score

10^/10

formbook mo9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

C2

http://www.lievival.info/mo9n/

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral10/memory/3996-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral10/memory/3996-127-0x000000000041F110-mapping.dmp	formbook
behavioral10/memory/2012-134-0x0000000000A40000-0x0000000000A6F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.exewscript.exe

description	pid	process	target process
PID 2044 set thread context of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3996 set thread context of 3040	3996	Payment receipt.pdf.exe	Explorer.EXE
PID 2012 set thread context of 3040	2012	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Payment receipt.pdf.exewscript.exe

pid	process
3996	Payment receipt.pdf.exe
3996	Payment receipt.pdf.exe
3996	Payment receipt.pdf.exe
3996	Payment receipt.pdf.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe
2012	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3040 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Payment receipt.pdf.exewscript.exe

pid process

3996 Payment receipt.pdf.exe
3996 Payment receipt.pdf.exe
3996 Payment receipt.pdf.exe
2012 wscript.exe
2012 wscript.exe

pid	process
3040	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

Payment receipt.pdf.exewscript.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3996	Payment receipt.pdf.exe
Token: SeDebugPrivilege	2012	wscript.exe
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE
Token: SeShutdownPrivilege	3040	Explorer.EXE
Token: SeCreatePagefilePrivilege	3040	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Payment receipt.pdf.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2044 wrote to memory of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2044 wrote to memory of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2044 wrote to memory of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2044 wrote to memory of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2044 wrote to memory of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 2044 wrote to memory of 3996	2044	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 3040 wrote to memory of 2012	3040	Explorer.EXE	wscript.exe
PID 3040 wrote to memory of 2012	3040	Explorer.EXE	wscript.exe
PID 3040 wrote to memory of 2012	3040	Explorer.EXE	wscript.exe
PID 2012 wrote to memory of 1908	2012	wscript.exe	cmd.exe
PID 2012 wrote to memory of 1908	2012	wscript.exe	cmd.exe
PID 2012 wrote to memory of 1908	2012	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3996

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:2904

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
3⤵
PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1908-135-0x0000000000000000-mapping.dmp

Download
memory/2012-132-0x0000000000000000-mapping.dmp

Download
memory/2012-137-0x0000000004C00000-0x0000000004C93000-memory.dmp

Filesize
588KB

Download
memory/2012-136-0x0000000004DD0000-0x00000000050F0000-memory.dmp

Filesize
3.1MB

Download
memory/2012-133-0x0000000000B40000-0x0000000000B67000-memory.dmp

Filesize
156KB

Download
memory/2012-134-0x0000000000A40000-0x0000000000A6F000-memory.dmp

Filesize
188KB

Download
memory/2044-121-0x0000000007770000-0x0000000007771000-memory.dmp

Filesize
4KB

Download
memory/2044-119-0x0000000007870000-0x0000000007871000-memory.dmp

Filesize
4KB

Download
memory/2044-124-0x0000000002C90000-0x0000000002D13000-memory.dmp

Filesize
524KB

Download
memory/2044-125-0x00000000064E0000-0x0000000006510000-memory.dmp

Filesize
192KB

Download
memory/2044-123-0x0000000007A10000-0x0000000007A1E000-memory.dmp

Filesize
56KB

Download
memory/2044-117-0x00000000077D0000-0x00000000077D1000-memory.dmp

Filesize
4KB

Download
memory/2044-118-0x0000000007D70000-0x0000000007D71000-memory.dmp

Filesize
4KB

Download
memory/2044-122-0x0000000007A50000-0x0000000007A51000-memory.dmp

Filesize
4KB

Download
memory/2044-115-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2044-120-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/3040-138-0x0000000006920000-0x0000000006A21000-memory.dmp

Filesize
1.0MB

Download
memory/3040-131-0x0000000002AC0000-0x0000000002B80000-memory.dmp

Filesize
768KB

Download
memory/3996-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3996-130-0x0000000001450000-0x0000000001464000-memory.dmp

Filesize
80KB

Download
memory/3996-129-0x0000000001A50000-0x0000000001D70000-memory.dmp

Filesize
3.1MB

Download
memory/3996-127-0x000000000041F110-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads