formbook | f31eb9a6841607a9a9cf253ef2ad8d27ac6d13289ee5420ebcf7f0f47ef46736

Analysis

max time kernel
149s
max time network
140s
platform
windows10_x64
resource
win10-en-20211014
submitted
29-10-2021 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.exe
Size

652KB
MD5

ab6287e540cccfff7fc470053db92302
SHA1

09387a7e22e87c9555cd8abc2a9801c6e678dc05
SHA256

f31eb9a6841607a9a9cf253ef2ad8d27ac6d13289ee5420ebcf7f0f47ef46736
SHA512

3e641de591b8385408a476449cb5015d423e7ddf76b7da6299e5ff32e5d63a2fc9339c8fb21b016e457558b2e71d5d84a3ea5d949c49e42806ad729347e32da2

Score

10^/10

formbook snr6 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

snr6

http://www.reynbetgirisi.com/snr6/

Decoy

jjglassmi1.com

vpsseattle.com

drfllc.top

staycoolonline.com

eptlove.com

solusimatasehat.site

ionrarecharlestonproperties.com

b3eflucg.xyz

tvchosun-usa.com

mmahzxwzsadqlshop.life

gospelimport.com

demoapps.website

jackburst54.com

99rocket.education

ccbwithbri.com

trapperairsoft.com

useroadly.com

ralphlaurenonline-nl.com

loanmaster4u.com

champ-beauty-tomigaoka-nail.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2852-127-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2852-128-0x000000000041F130-mapping.dmp	formbook
behavioral2/memory/2368-183-0x0000000003090000-0x00000000030BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

1.exe1.execmstp.exe

description	pid	process	target process
PID 4052 set thread context of 2852	4052	1.exe	1.exe
PID 2852 set thread context of 3028	2852	1.exe	Explorer.EXE
PID 2368 set thread context of 3028	2368	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

1.execmstp.exe

pid	process
2852	1.exe
2852	1.exe
2852	1.exe
2852	1.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe
2368	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3028 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

1.execmstp.exe

pid process

2852 1.exe
2852 1.exe
2852 1.exe
2368 cmstp.exe
2368 cmstp.exe

pid	process
3028	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

1.exeExplorer.EXEcmstp.exe

description	pid	process
Token: SeDebugPrivilege	2852	1.exe
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeDebugPrivilege	2368	cmstp.exe
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE
Token: SeShutdownPrivilege	3028	Explorer.EXE
Token: SeCreatePagefilePrivilege	3028	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

1.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 4052 wrote to memory of 2852	4052	1.exe	1.exe
PID 4052 wrote to memory of 2852	4052	1.exe	1.exe
PID 4052 wrote to memory of 2852	4052	1.exe	1.exe
PID 4052 wrote to memory of 2852	4052	1.exe	1.exe
PID 4052 wrote to memory of 2852	4052	1.exe	1.exe
PID 4052 wrote to memory of 2852	4052	1.exe	1.exe
PID 3028 wrote to memory of 2368	3028	Explorer.EXE	cmstp.exe
PID 3028 wrote to memory of 2368	3028	Explorer.EXE	cmstp.exe
PID 3028 wrote to memory of 2368	3028	Explorer.EXE	cmstp.exe
PID 2368 wrote to memory of 1092	2368	cmstp.exe	cmd.exe
PID 2368 wrote to memory of 1092	2368	cmstp.exe	cmd.exe
PID 2368 wrote to memory of 1092	2368	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3028

C:\Users\Admin\AppData\Local\Temp\1.exe
"C:\Users\Admin\AppData\Local\Temp\1.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4052

C:\Users\Admin\AppData\Local\Temp\1.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2852

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\1.exe"
3⤵
PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1092-181-0x0000000000000000-mapping.dmp

Download
memory/2368-185-0x0000000004A40000-0x0000000004AD3000-memory.dmp

Filesize
588KB

Download
memory/2368-184-0x0000000004680000-0x00000000049A0000-memory.dmp

Filesize
3.1MB

Download
memory/2368-182-0x0000000000DA0000-0x0000000000DB6000-memory.dmp

Filesize
88KB

Download
memory/2368-183-0x0000000003090000-0x00000000030BF000-memory.dmp

Filesize
188KB

Download
memory/2368-180-0x0000000000000000-mapping.dmp

Download
memory/2852-127-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2852-128-0x000000000041F130-mapping.dmp

Download
memory/2852-131-0x00000000009C0000-0x0000000000B0A000-memory.dmp

Filesize
1.3MB

Download
memory/2852-130-0x0000000000EF0000-0x0000000001210000-memory.dmp

Filesize
3.1MB

Download
memory/3028-178-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-139-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-133-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-135-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/3028-136-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-228-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-138-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-225-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/3028-140-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-141-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-142-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-143-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-144-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-145-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-146-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-147-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-148-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-149-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-150-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-152-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-151-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-153-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-154-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-155-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-156-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-157-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-158-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-159-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-161-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-160-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/3028-163-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-162-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-165-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-164-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-166-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-167-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/3028-169-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/3028-168-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-171-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-170-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-173-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-175-0x0000000002210000-0x0000000002220000-memory.dmp

Filesize
64KB

Download
memory/3028-176-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-174-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-172-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-177-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-227-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-179-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-226-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-223-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-229-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-134-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-137-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-132-0x0000000005D30000-0x0000000005E58000-memory.dmp

Filesize
1.2MB

Download
memory/3028-186-0x0000000002700000-0x00000000027D2000-memory.dmp

Filesize
840KB

Download
memory/3028-187-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/3028-188-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-189-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-190-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-191-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-192-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-193-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-194-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-195-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-196-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-197-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-198-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-199-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-200-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-201-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-202-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-203-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-204-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-205-0x00000000007E0000-0x00000000007E2000-memory.dmp

Filesize
8KB

Download
memory/3028-206-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-207-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-208-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-209-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-211-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-210-0x00000000007B0000-0x00000000007C0000-memory.dmp

Filesize
64KB

Download
memory/3028-212-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/3028-213-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-214-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-215-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-216-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-218-0x00000000007A0000-0x00000000007B0000-memory.dmp

Filesize
64KB

Download
memory/3028-217-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-220-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-219-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-221-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-222-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/3028-224-0x0000000002150000-0x0000000002160000-memory.dmp

Filesize
64KB

Download
memory/4052-119-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/4052-120-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/4052-121-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/4052-117-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/4052-115-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/4052-118-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4052-122-0x0000000005860000-0x0000000005D5E000-memory.dmp

Filesize
5.0MB

Download
memory/4052-123-0x000000007F1F0000-0x000000007F1F1000-memory.dmp

Filesize
4KB

Download
memory/4052-124-0x0000000007680000-0x000000000768E000-memory.dmp

Filesize
56KB

Download
memory/4052-125-0x0000000007C80000-0x0000000007D01000-memory.dmp

Filesize
516KB

Download
memory/4052-126-0x000000000A340000-0x000000000A370000-memory.dmp

Filesize
192KB

Download