formbook | 7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba

General

Target

S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
Size

448KB
MD5

78be75029064bfcd03eedce61e018d9b
SHA1

5b9594d4dc4c46d5479ed5645ba1aa510e403ec3
SHA256

7dd2cb6cb441739419634c8a5aedbd44fc20357fe1c861924b3199e5f4e351ba
SHA512

256433af256e230521998b0bf48921f4ccb6cf4d113409b4678c0c36709c431dcb257b01f0d8842a041447e117bf070cef9b300975d24793b1a52525dcc16547

Score

10^/10

formbook cnp0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cnp0

C2

http://www.ccnsv.net/cnp0/

Decoy

jiarenyuanhunlian.com

xquizitelashesnwaxx.com

rentinerie.com

herbalpedia-id.com

openseagames.com

re-swap.com

william-cook.com

segensv.com

versebay.com

brendanlairdsound.com

bypestor.com

hospitaldelpc.net

wwwroadrunnerfinancial.com

waterhammerstudios.com

hustleandbank.photography

secure01bchslogin.com

rarepeperanking.com

greatland.company

happybirthdayjewel.com

raheok.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2088-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2088-125-0x000000000041F0D0-mapping.dmp	formbook
behavioral2/memory/2088-128-0x0000000001440000-0x000000000158A000-memory.dmp	formbook
behavioral2/memory/1184-133-0x0000000000760000-0x000000000078F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exeS.K TRADING CO., LTD - INQUIRY DOCUMENTS.execscript.exe

description	pid	process	target process
PID 3168 set thread context of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 2088 set thread context of 3024	2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	Explorer.EXE
PID 1184 set thread context of 3024	1184	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

S.K TRADING CO., LTD - INQUIRY DOCUMENTS.execscript.exe

pid	process
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe
1184	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3024 Explorer.EXE

pid	process
3024	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

S.K TRADING CO., LTD - INQUIRY DOCUMENTS.execscript.exe

pid	process
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
1184	cscript.exe
1184	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

S.K TRADING CO., LTD - INQUIRY DOCUMENTS.execscript.exe

description pid process

Token: SeDebugPrivilege 2088 S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
Token: SeDebugPrivilege 1184 cscript.exe

description	pid	process
Token: SeDebugPrivilege	2088	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
Token: SeDebugPrivilege	1184	cscript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 3168 wrote to memory of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 3168 wrote to memory of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 3168 wrote to memory of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 3168 wrote to memory of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 3168 wrote to memory of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 3168 wrote to memory of 2088	3168	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe	S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
PID 3024 wrote to memory of 1184	3024	Explorer.EXE	cscript.exe
PID 3024 wrote to memory of 1184	3024	Explorer.EXE	cscript.exe
PID 3024 wrote to memory of 1184	3024	Explorer.EXE	cscript.exe
PID 1184 wrote to memory of 2848	1184	cscript.exe	cmd.exe
PID 1184 wrote to memory of 2848	1184	cscript.exe	cmd.exe
PID 1184 wrote to memory of 2848	1184	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3024

C:\Users\Admin\AppData\Local\Temp\S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe
"C:\Users\Admin\AppData\Local\Temp\S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2088

C:\Windows\SysWOW64\cscript.exe
"C:\Windows\SysWOW64\cscript.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\S.K TRADING CO., LTD - INQUIRY DOCUMENTS.exe"
3⤵
PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1184-130-0x0000000000000000-mapping.dmp

Download
memory/1184-135-0x0000000004640000-0x00000000046D3000-memory.dmp

Filesize
588KB

Download
memory/1184-133-0x0000000000760000-0x000000000078F000-memory.dmp

Filesize
188KB

Download
memory/1184-131-0x0000000001110000-0x0000000001137000-memory.dmp

Filesize
156KB

Download
memory/1184-132-0x0000000004880000-0x0000000004BA0000-memory.dmp

Filesize
3.1MB

Download
memory/2088-128-0x0000000001440000-0x000000000158A000-memory.dmp

Filesize
1.3MB

Download
memory/2088-127-0x0000000001880000-0x0000000001BA0000-memory.dmp

Filesize
3.1MB

Download
memory/2088-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2088-125-0x000000000041F0D0-mapping.dmp

Download
memory/2848-134-0x0000000000000000-mapping.dmp

Download
memory/3024-129-0x0000000002450000-0x0000000002504000-memory.dmp

Filesize
720KB

Download
memory/3024-136-0x0000000005D00000-0x0000000005E32000-memory.dmp

Filesize
1.2MB

Download
memory/3168-115-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/3168-122-0x0000000006450000-0x0000000006451000-memory.dmp

Filesize
4KB

Download
memory/3168-121-0x00000000058C0000-0x00000000058C6000-memory.dmp

Filesize
24KB

Download
memory/3168-120-0x00000000055C0000-0x0000000005652000-memory.dmp

Filesize
584KB

Download
memory/3168-119-0x0000000005670000-0x0000000005671000-memory.dmp

Filesize
4KB

Download
memory/3168-118-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/3168-123-0x00000000064F0000-0x0000000006542000-memory.dmp

Filesize
328KB

Download
memory/3168-117-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads