formbook | 6243afcc3184f4bf3f969dd7fed686e57e574d17417ec71351bc71d5adba673d

General

Target

Payment receipt.pdf.exe
Size

707KB
MD5

d4be4730ee0e801938ae40b02b5ec346
SHA1

5a36a50fe19f08f5c34db24127b43bdceb85bb42
SHA256

0e6c644f1252507e018b0fbe6b83902adcd2278a083fe1902092f627babf3711
SHA512

d4e4a31f6be9df302010ef550191ab5c4f37aaa277e61b88600253ebd8cb7f3a670b13dfd459dc75f88946f78bc2403ca6739d042a6909411bd20dcfda149a29

Score

10^/10

formbook mo9n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mo9n

C2

http://www.lievival.info/mo9n/

Decoy

circuit-town.com

stock-high.xyz

barlindelivery.com

littletoucans.com

bright-tailor.com

firsthandcares.com

ecompropeller.com

circuitoalberghiero.net

creative-egyptps.com

bitracks56.com

douhonghong.com

fingertipcollection.com

happy-bihada.space

blockchainairdropreward.com

xn--reljame-jwa.com

polloycarnesdelivery.com

d22.group

eslamshahrservice.com

vanzing.com

juzide.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral9/memory/1644-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral9/memory/1644-63-0x000000000041F110-mapping.dmp	formbook
behavioral9/memory/1644-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral9/memory/396-74-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1788 cmd.exe

pid	process
1788	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.exewininit.exe

description	pid	process	target process
PID 948 set thread context of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1644 set thread context of 1356	1644	Payment receipt.pdf.exe	Explorer.EXE
PID 1644 set thread context of 1356	1644	Payment receipt.pdf.exe	Explorer.EXE
PID 396 set thread context of 1356	396	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.exewininit.exe

pid	process
948	Payment receipt.pdf.exe
1644	Payment receipt.pdf.exe
1644	Payment receipt.pdf.exe
1644	Payment receipt.pdf.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe
396	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Payment receipt.pdf.exewininit.exe

pid process

1644 Payment receipt.pdf.exe
1644 Payment receipt.pdf.exe
1644 Payment receipt.pdf.exe
1644 Payment receipt.pdf.exe
396 wininit.exe
396 wininit.exe

pid	process
1356	Explorer.EXE

pid	process
1644	Payment receipt.pdf.exe
1644	Payment receipt.pdf.exe
1644	Payment receipt.pdf.exe
1644	Payment receipt.pdf.exe
396	wininit.exe
396	wininit.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

Payment receipt.pdf.exePayment receipt.pdf.exewininit.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	948	Payment receipt.pdf.exe
Token: SeDebugPrivilege	1644	Payment receipt.pdf.exe
Token: SeDebugPrivilege	396	wininit.exe
Token: SeShutdownPrivilege	1356	Explorer.EXE
Token: SeShutdownPrivilege	1356	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1356 Explorer.EXE
1356 Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

pid	process
1356	Explorer.EXE
1356	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

Payment receipt.pdf.exeExplorer.EXEwininit.exe

description	pid	process	target process
PID 948 wrote to memory of 668	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 668	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 668	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 668	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 948 wrote to memory of 1644	948	Payment receipt.pdf.exe	Payment receipt.pdf.exe
PID 1356 wrote to memory of 396	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 396	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 396	1356	Explorer.EXE	wininit.exe
PID 1356 wrote to memory of 396	1356	Explorer.EXE	wininit.exe
PID 396 wrote to memory of 1788	396	wininit.exe	cmd.exe
PID 396 wrote to memory of 1788	396	wininit.exe	cmd.exe
PID 396 wrote to memory of 1788	396	wininit.exe	cmd.exe
PID 396 wrote to memory of 1788	396	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1356

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:948

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
3⤵
PID:668

C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:396

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Payment receipt.pdf.exe"
3⤵
- Deletes itself
PID:1788

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/396-74-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/396-71-0x0000000000000000-mapping.dmp

Download
memory/396-76-0x00000000009E0000-0x0000000000A73000-memory.dmp

Filesize
588KB

Download
memory/396-75-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download
memory/396-73-0x0000000000F70000-0x0000000000F8A000-memory.dmp

Filesize
104KB

Download
memory/948-56-0x00000000071B0000-0x00000000071B1000-memory.dmp

Filesize
4KB

Download
memory/948-57-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/948-58-0x0000000000340000-0x00000000003C3000-memory.dmp

Filesize
524KB

Download
memory/948-59-0x0000000000840000-0x0000000000870000-memory.dmp

Filesize
192KB

Download
memory/948-54-0x0000000000C00000-0x0000000000C01000-memory.dmp

Filesize
4KB

Download
memory/1356-77-0x0000000007DC0000-0x0000000007EC5000-memory.dmp

Filesize
1.0MB

Download
memory/1356-66-0x0000000007120000-0x000000000726F000-memory.dmp

Filesize
1.3MB

Download
memory/1356-70-0x0000000007270000-0x00000000073E4000-memory.dmp

Filesize
1.5MB

Download
memory/1644-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-69-0x0000000000250000-0x0000000000264000-memory.dmp

Filesize
80KB

Download
memory/1644-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-67-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1644-65-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1644-63-0x000000000041F110-mapping.dmp

Download
memory/1644-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1644-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1788-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads