formbook | b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd

General

Target

H4vBtZsi8xAKaMm.exe
Size

1.2MB
MD5

7eabab04e4a6fdd45238e32ed81e222c
SHA1

e0e1dc469746f5e2e049ea4a93d9b09a9227b342
SHA256

b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd
SHA512

eeaa0f02a15a66b3363f94730ad3cf7c533a4bf303cfa0f53b21959a54dc0f65c50b1ac179aa5f992e3e17bbfaaa1b7393da3d1859ddd51932d36bdf0b7fa21b

Score

10^/10

formbook u1p5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u1p5

Decoy

yannickrast.com

shitcoin.team

mysweetelissa.com

tpnfrgm2wrld.xyz

freeclothesonline.com

rhoads-music.com

tanglewoodrx.com

sharkeycustoms.com

bonin-island.com

apeutah.com

metacehennem.xyz

deutscheno1.com

e-gate-io.store

hometoto.xyz

jojomove.com

vzn2aai2qj.icu

couponcodes6.com

pbcgotv.com

metarealtyhome.com

geymall.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/932-128-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/932-131-0x0000000000B00000-0x0000000000C4A000-memory.dmp	formbook
behavioral2/memory/2648-134-0x0000000003080000-0x00000000030AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

H4vBtZsi8xAKaMm.exeMSBuild.exenetsh.exe

description	pid	process	target process
PID 2352 set thread context of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 932 set thread context of 2084	932	MSBuild.exe	Explorer.EXE
PID 2648 set thread context of 2084	2648	netsh.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 23 IoCs

Processes:

H4vBtZsi8xAKaMm.exeMSBuild.exenetsh.exe

pid	process
2352	H4vBtZsi8xAKaMm.exe
2352	H4vBtZsi8xAKaMm.exe
2352	H4vBtZsi8xAKaMm.exe
932	MSBuild.exe
932	MSBuild.exe
932	MSBuild.exe
932	MSBuild.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe
2648	netsh.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

MSBuild.exenetsh.exe

pid process

932 MSBuild.exe
932 MSBuild.exe
932 MSBuild.exe
2648 netsh.exe
2648 netsh.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

H4vBtZsi8xAKaMm.exeMSBuild.exenetsh.exe

description pid process

Token: SeDebugPrivilege 2352 H4vBtZsi8xAKaMm.exe
Token: SeDebugPrivilege 932 MSBuild.exe
Token: SeDebugPrivilege 2648 netsh.exe

pid	process
932	MSBuild.exe
932	MSBuild.exe
932	MSBuild.exe
2648	netsh.exe
2648	netsh.exe

description	pid	process
Token: SeDebugPrivilege	2352	H4vBtZsi8xAKaMm.exe
Token: SeDebugPrivilege	932	MSBuild.exe
Token: SeDebugPrivilege	2648	netsh.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

H4vBtZsi8xAKaMm.exeExplorer.EXEnetsh.exe

description	pid	process	target process
PID 2352 wrote to memory of 1108	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 1108	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 1108	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2352 wrote to memory of 932	2352	H4vBtZsi8xAKaMm.exe	MSBuild.exe
PID 2084 wrote to memory of 2648	2084	Explorer.EXE	netsh.exe
PID 2084 wrote to memory of 2648	2084	Explorer.EXE	netsh.exe
PID 2084 wrote to memory of 2648	2084	Explorer.EXE	netsh.exe
PID 2648 wrote to memory of 2576	2648	netsh.exe	cmd.exe
PID 2648 wrote to memory of 2576	2648	netsh.exe	cmd.exe
PID 2648 wrote to memory of 2576	2648	netsh.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2084

C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe
"C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
3⤵
PID:1108

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:932

C:\Windows\SysWOW64\netsh.exe
"C:\Windows\SysWOW64\netsh.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
3⤵
PID:2576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/932-128-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/932-131-0x0000000000B00000-0x0000000000C4A000-memory.dmp

Filesize
1.3MB

Download
memory/932-130-0x0000000001080000-0x00000000013A0000-memory.dmp

Filesize
3.1MB

Download
memory/2084-137-0x0000000002770000-0x00000000028B5000-memory.dmp

Filesize
1.3MB

Download
memory/2084-132-0x0000000002650000-0x000000000276E000-memory.dmp

Filesize
1.1MB

Download
memory/2352-122-0x0000000002800000-0x000000000289C000-memory.dmp

Filesize
624KB

Download
memory/2352-121-0x0000000004F10000-0x0000000004FA2000-memory.dmp

Filesize
584KB

Download
memory/2352-125-0x00000000053C0000-0x00000000053CA000-memory.dmp

Filesize
40KB

Download
memory/2352-126-0x0000000000DB0000-0x0000000000E38000-memory.dmp

Filesize
544KB

Download
memory/2352-127-0x0000000005B30000-0x0000000005B64000-memory.dmp

Filesize
208KB

Download
memory/2352-123-0x0000000002900000-0x000000000290A000-memory.dmp

Filesize
40KB

Download
memory/2352-118-0x0000000000330000-0x0000000000474000-memory.dmp

Filesize
1.3MB

Download
memory/2352-124-0x0000000005350000-0x00000000053A6000-memory.dmp

Filesize
344KB

Download
memory/2352-120-0x0000000005530000-0x0000000005A2E000-memory.dmp

Filesize
5.0MB

Download
memory/2352-119-0x0000000004E70000-0x0000000004F0C000-memory.dmp

Filesize
624KB

Download
memory/2648-134-0x0000000003080000-0x00000000030AF000-memory.dmp

Filesize
188KB

Download
memory/2648-135-0x0000000003BE0000-0x0000000003F00000-memory.dmp

Filesize
3.1MB

Download
memory/2648-136-0x00000000038A0000-0x0000000003A36000-memory.dmp

Filesize
1.6MB

Download
memory/2648-133-0x0000000001050000-0x000000000106E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads