formbook | 47ad5f9aa8949afcd5f9c23bd1394ed45a3516b2f8a2d18aa67904e8695b9b15

General

Target

TT copy for our payment.exe
Size

430KB
MD5

b87c1e2bb5ba0a04b614ba14b6ef91c2
SHA1

a02e178c8f33b48f3fa8d548762a29adcc359cac
SHA256

fc9165f2702032e355b392fe6ada38cfd6e1eceafb5453de7991369addd266a6
SHA512

36889e872c6eb47d664601c39dc789d016260b348a32f2b26ddffbc7603445f492749d3b0c00c2733a7c8a169fb95aa42b0e46166322ef1379f83f89004358f8

Score

10^/10

formbook r4gk rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

r4gk

C2

http://www.aprilsaak.quest/r4gk/

Decoy

quantalix.com

animalblog-eggs.com

039skz.xyz

guttas.net

lasantadayparty.com

protegerfinanceservices.com

vixtest.xyz

digitaleconomy.global

0xpax.xyz

mobilehome1688.com

themotionpartners.com

valueney.com

hattuafhv.quest

js0061gj.net

360metaverse.biz

seculardata.com

346727688.xyz

smartmapom.com

moksel.com

exoduswatchco.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1324-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1324-62-0x000000000041F110-mapping.dmp	formbook
behavioral1/memory/340-70-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1408 cmd.exe

pid	process
1408	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

TT copy for our payment.exeTT copy for our payment.execmmon32.exe

description	pid	process	target process
PID 932 set thread context of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 1324 set thread context of 1428	1324	TT copy for our payment.exe	Explorer.EXE
PID 340 set thread context of 1428	340	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

TT copy for our payment.exeTT copy for our payment.execmmon32.exe

pid	process
932	TT copy for our payment.exe
932	TT copy for our payment.exe
932	TT copy for our payment.exe
932	TT copy for our payment.exe
1324	TT copy for our payment.exe
1324	TT copy for our payment.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe
340	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

TT copy for our payment.execmmon32.exe

pid process

1324 TT copy for our payment.exe
1324 TT copy for our payment.exe
1324 TT copy for our payment.exe
340 cmmon32.exe
340 cmmon32.exe

pid	process
1324	TT copy for our payment.exe
1324	TT copy for our payment.exe
1324	TT copy for our payment.exe
340	cmmon32.exe
340	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

TT copy for our payment.exeTT copy for our payment.execmmon32.exe

description	pid	process
Token: SeDebugPrivilege	932	TT copy for our payment.exe
Token: SeDebugPrivilege	1324	TT copy for our payment.exe
Token: SeDebugPrivilege	340	cmmon32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1428 Explorer.EXE
1428 Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

pid	process
1428	Explorer.EXE
1428	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

TT copy for our payment.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 932 wrote to memory of 1324	932	TT copy for our payment.exe	TT copy for our payment.exe
PID 1428 wrote to memory of 340	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 340	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 340	1428	Explorer.EXE	cmmon32.exe
PID 1428 wrote to memory of 340	1428	Explorer.EXE	cmmon32.exe
PID 340 wrote to memory of 1408	340	cmmon32.exe	cmd.exe
PID 340 wrote to memory of 1408	340	cmmon32.exe	cmd.exe
PID 340 wrote to memory of 1408	340	cmmon32.exe	cmd.exe
PID 340 wrote to memory of 1408	340	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1428

C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe
"C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:932

C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe
"C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:340

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\TT copy for our payment.exe"
3⤵
- Deletes itself
PID:1408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/340-67-0x0000000000000000-mapping.dmp

Download
memory/340-72-0x0000000000820000-0x00000000008B3000-memory.dmp

Filesize
588KB

Download
memory/340-71-0x00000000009B0000-0x0000000000CB3000-memory.dmp

Filesize
3.0MB

Download
memory/340-70-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/340-69-0x0000000000D10000-0x0000000000D1D000-memory.dmp

Filesize
52KB

Download
memory/932-56-0x0000000000A20000-0x0000000000A21000-memory.dmp

Filesize
4KB

Download
memory/932-57-0x0000000000540000-0x0000000000546000-memory.dmp

Filesize
24KB

Download
memory/932-58-0x0000000004500000-0x0000000004550000-memory.dmp

Filesize
320KB

Download
memory/932-54-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/1324-65-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/1324-64-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1324-62-0x000000000041F110-mapping.dmp

Download
memory/1324-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1324-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-68-0x0000000000000000-mapping.dmp

Download
memory/1428-66-0x0000000004140000-0x000000000420F000-memory.dmp

Filesize
828KB

Download
memory/1428-73-0x0000000006590000-0x0000000006628000-memory.dmp

Filesize
608KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads