formbook | 0fcca302c4bcf8f490650685b46d1ea92edcb126aaf959c4b8ad0897511ee7d5

General

Target

ORDER_26.exe
Size

1007KB
MD5

2a7891d958327a9c60b079ee3d487fd8
SHA1

fd828cc4ac3c2e8dd0319b146c0886677543c5d3
SHA256

0fcca302c4bcf8f490650685b46d1ea92edcb126aaf959c4b8ad0897511ee7d5
SHA512

945e51519051fa89023cf74e3935ae1a2ab98d5f758529908829e7b604c9cff56dd38af4446558d97fa8f918601e19e5c9ddb736578969768ae69966f163290f

Score

10^/10

formbook je16 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je16

Decoy

antonavt.com

sdfvlog.xyz

xn--arbetslivsaktren-ywb.com

propelcolor.com

uniqueclsssiccars.com

colorbells.com

synjive.com

cloudymellows.com

walltage.com

qterps.com

kezorup.online

soakedindelight.online

thefirstgroupscam.biz

miclanka.com

mwm-security.com

trinksaifenradiodocumentary.com

spineklinik.com

javacodecafe.com

groovyrelease-toknowtoday.info

ventadesillasymesas.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1148-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1664-68-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1488 cmd.exe

pid	process
1488	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

ORDER_26.exeORDER_26.execontrol.exe

description	pid	process	target process
PID 1212 set thread context of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1148 set thread context of 1412	1148	ORDER_26.exe	Explorer.EXE
PID 1664 set thread context of 1412	1664	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 18 IoCs

Processes:

ORDER_26.execontrol.exe

pid	process
1148	ORDER_26.exe
1148	ORDER_26.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe
1664	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

ORDER_26.execontrol.exe

pid process

1148 ORDER_26.exe
1148 ORDER_26.exe
1148 ORDER_26.exe
1664 control.exe
1664 control.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

ORDER_26.execontrol.exe

description pid process

Token: SeDebugPrivilege 1148 ORDER_26.exe
Token: SeDebugPrivilege 1664 control.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1148	ORDER_26.exe
Token: SeDebugPrivilege	1664	control.exe

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

ORDER_26.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1212 wrote to memory of 1148	1212	ORDER_26.exe	ORDER_26.exe
PID 1412 wrote to memory of 1664	1412	Explorer.EXE	control.exe
PID 1412 wrote to memory of 1664	1412	Explorer.EXE	control.exe
PID 1412 wrote to memory of 1664	1412	Explorer.EXE	control.exe
PID 1412 wrote to memory of 1664	1412	Explorer.EXE	control.exe
PID 1664 wrote to memory of 1488	1664	control.exe	cmd.exe
PID 1664 wrote to memory of 1488	1664	control.exe	cmd.exe
PID 1664 wrote to memory of 1488	1664	control.exe	cmd.exe
PID 1664 wrote to memory of 1488	1664	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1148

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1664

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
3⤵
- Deletes itself
PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-65-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1148-63-0x00000000007D0000-0x0000000000BD3000-memory.dmp

Filesize
4.0MB

Download
memory/1148-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1212-58-0x0000000004E00000-0x0000000004E6A000-memory.dmp

Filesize
424KB

Download
memory/1212-54-0x0000000000F30000-0x0000000001032000-memory.dmp

Filesize
1.0MB

Download
memory/1212-57-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/1212-56-0x0000000004CE0000-0x0000000004CE1000-memory.dmp

Filesize
4KB

Download
memory/1212-55-0x0000000075AB1000-0x0000000075AB3000-memory.dmp

Filesize
8KB

Download
memory/1412-64-0x0000000004A00000-0x0000000004ADD000-memory.dmp

Filesize
884KB

Download
memory/1412-71-0x0000000006B00000-0x0000000006BED000-memory.dmp

Filesize
948KB

Download
memory/1664-68-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1664-67-0x0000000000020000-0x000000000003F000-memory.dmp

Filesize
124KB

Download
memory/1664-69-0x0000000001E50000-0x0000000002153000-memory.dmp

Filesize
3.0MB

Download
memory/1664-70-0x0000000002160000-0x00000000021F3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads