formbook | afef0a80915c7ebea814b4b1a93170067eab6d25b37ae0798c1950cd382577a4

General

Target

Reversed Invoice for new products.exe
Size

588KB
MD5

c143e48329117200f2fed704dd8a3427
SHA1

14bf703e576ff1b76b9ad540fda7bbdd748e78c0
SHA256

1910bc92f591b3feb607aac1518fe2cc6c834b627b76637cb27464006e072a22
SHA512

6bf52af4e5ffdf845f154e1e81b98ab8f46136379b5e3ba9152243b9a3906566862df6e0171f0036214de2901d3212d42af0a12db06ca2cd999577dc14b52ff5

Score

10^/10

formbook r4gk rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

r4gk

C2

http://www.aprilsaak.quest/r4gk/

Decoy

quantalix.com

animalblog-eggs.com

039skz.xyz

guttas.net

lasantadayparty.com

protegerfinanceservices.com

vixtest.xyz

digitaleconomy.global

0xpax.xyz

mobilehome1688.com

themotionpartners.com

valueney.com

hattuafhv.quest

js0061gj.net

360metaverse.biz

seculardata.com

346727688.xyz

smartmapom.com

moksel.com

exoduswatchco.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2812-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2812-125-0x000000000041F110-mapping.dmp	formbook
behavioral2/memory/1740-132-0x0000000002B10000-0x0000000002B3F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Reversed Invoice for new products.exeReversed Invoice for new products.exewscript.exe

description	pid	process	target process
PID 2868 set thread context of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2812 set thread context of 3000	2812	Reversed Invoice for new products.exe	Explorer.EXE
PID 1740 set thread context of 3000	1740	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 46 IoCs

Processes:

Reversed Invoice for new products.exeReversed Invoice for new products.exewscript.exe

pid	process
2868	Reversed Invoice for new products.exe
2868	Reversed Invoice for new products.exe
2868	Reversed Invoice for new products.exe
2868	Reversed Invoice for new products.exe
2868	Reversed Invoice for new products.exe
2868	Reversed Invoice for new products.exe
2812	Reversed Invoice for new products.exe
2812	Reversed Invoice for new products.exe
2812	Reversed Invoice for new products.exe
2812	Reversed Invoice for new products.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe
1740	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3000 Explorer.EXE

pid	process
3000	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Reversed Invoice for new products.exewscript.exe

pid	process
2812	Reversed Invoice for new products.exe
2812	Reversed Invoice for new products.exe
2812	Reversed Invoice for new products.exe
1740	wscript.exe
1740	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Reversed Invoice for new products.exeReversed Invoice for new products.exewscript.exe

description	pid	process
Token: SeDebugPrivilege	2868	Reversed Invoice for new products.exe
Token: SeDebugPrivilege	2812	Reversed Invoice for new products.exe
Token: SeDebugPrivilege	1740	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Reversed Invoice for new products.exeExplorer.EXEwscript.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3000

C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe
"C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe
"C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe"
3⤵
PID:1352

C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe
"C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2812

C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Reversed Invoice for new products.exe"
3⤵
PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-133-0x0000000000000000-mapping.dmp

Download
memory/1740-130-0x0000000000000000-mapping.dmp

Download
memory/1740-135-0x00000000048C0000-0x0000000004953000-memory.dmp

Filesize
588KB

Download
memory/1740-134-0x0000000004500000-0x0000000004820000-memory.dmp

Filesize
3.1MB

Download
memory/1740-132-0x0000000002B10000-0x0000000002B3F000-memory.dmp

Filesize
188KB

Download
memory/1740-131-0x0000000000AE0000-0x0000000000B07000-memory.dmp

Filesize
156KB

Download
memory/2812-128-0x0000000000E40000-0x0000000000E54000-memory.dmp

Filesize
80KB

Download
memory/2812-127-0x0000000000E80000-0x00000000011A0000-memory.dmp

Filesize
3.1MB

Download
memory/2812-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2812-125-0x000000000041F110-mapping.dmp

Download
memory/2868-122-0x0000000008CA0000-0x0000000008CA1000-memory.dmp

Filesize
4KB

Download
memory/2868-115-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/2868-123-0x0000000008C50000-0x0000000008CA0000-memory.dmp

Filesize
320KB

Download
memory/2868-121-0x0000000005840000-0x0000000005846000-memory.dmp

Filesize
24KB

Download
memory/2868-120-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2868-119-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/2868-118-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/2868-117-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/3000-129-0x0000000004EC0000-0x0000000004FCB000-memory.dmp

Filesize
1.0MB

Download
memory/3000-136-0x00000000024F0000-0x00000000025D7000-memory.dmp

Filesize
924KB

Download

description	pid	process	target process
PID 2868 wrote to memory of 1352	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 1352	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 1352	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 2868 wrote to memory of 2812	2868	Reversed Invoice for new products.exe	Reversed Invoice for new products.exe
PID 3000 wrote to memory of 1740	3000	Explorer.EXE	wscript.exe
PID 3000 wrote to memory of 1740	3000	Explorer.EXE	wscript.exe
PID 3000 wrote to memory of 1740	3000	Explorer.EXE	wscript.exe
PID 1740 wrote to memory of 588	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 588	1740	wscript.exe	cmd.exe
PID 1740 wrote to memory of 588	1740	wscript.exe	cmd.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads