formbook | 7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1

General

Target

hussanbinzx.exe
Size

400KB
MD5

cb5cd9f8250eaf3861f8774f431032b4
SHA1

1de8f273480f80f18d070f1f71aa722923759137
SHA256

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1
SHA512

f7b4bc3996fee5fa1606a85f3d3cce6a1dbd6f14a133c81db0061b91528fc36c9856bd684b5d111ad387fff539720391fc2afd52c3b5803a7e192471a21e74cc

Score

10^/10

formbook k2i4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2i4

Decoy

apehangersbikersgang.com

lhcgrou.com

diveidf.com

timtas.store

jadebody.club

iamjbrussell.com

fwfuv.icu

picchealth.net

batuair.com

z58609.com

punarecotech.com

a-oct.com

xn--wmq0c1qt9mcxhxjkp16a.top

district99.net

5dcoding.com

aripagripoff.biz

abtheagent.com

betterskincareco.com

jsskylight.com

deviseoffice.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/848-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/848-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/436-70-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid	Process
1064	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

hussanbinzx.exehussanbinzx.exesvchost.exe

description	pid	Process	procid_target
PID 812 set thread context of 848	812	hussanbinzx.exe	29
PID 848 set thread context of 1388	848	hussanbinzx.exe	12
PID 436 set thread context of 1388	436	svchost.exe	12

Suspicious behavior: EnumeratesProcesses 19 IoCs

Processes:

hussanbinzx.exesvchost.exe

pid	Process
848	hussanbinzx.exe
848	hussanbinzx.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe
436	svchost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

hussanbinzx.exesvchost.exe

pid	Process
848	hussanbinzx.exe
848	hussanbinzx.exe
848	hussanbinzx.exe
436	svchost.exe
436	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

hussanbinzx.exesvchost.exe

description	pid	Process
Token: SeDebugPrivilege	848	hussanbinzx.exe
Token: SeDebugPrivilege	436	svchost.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid	Process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid	Process
1388	Explorer.EXE
1388	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

hussanbinzx.exeExplorer.EXEsvchost.exe

description	pid	Process	procid_target
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 812 wrote to memory of 848	812	hussanbinzx.exe	29
PID 1388 wrote to memory of 436	1388	Explorer.EXE	30
PID 1388 wrote to memory of 436	1388	Explorer.EXE	30
PID 1388 wrote to memory of 436	1388	Explorer.EXE	30
PID 1388 wrote to memory of 436	1388	Explorer.EXE	30
PID 436 wrote to memory of 1064	436	svchost.exe	31
PID 436 wrote to memory of 1064	436	svchost.exe	31
PID 436 wrote to memory of 1064	436	svchost.exe	31
PID 436 wrote to memory of 1064	436	svchost.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1388
- C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe
  "C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe
    "C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:848
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\hussanbinzx.exe"
    3⤵
    - Deletes itself
    PID:1064

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/436-69-0x0000000000BC0000-0x0000000000BC8000-memory.dmp

Filesize
32KB

Download
memory/436-72-0x0000000000560000-0x00000000005F4000-memory.dmp

Filesize
592KB

Download
memory/436-71-0x0000000000760000-0x0000000000A63000-memory.dmp

Filesize
3.0MB

Download
memory/436-70-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/812-56-0x00000000001F0000-0x000000000025A000-memory.dmp

Filesize
424KB

Download
memory/812-57-0x0000000004990000-0x0000000004991000-memory.dmp

Filesize
4KB

Download
memory/812-58-0x0000000000420000-0x000000000042C000-memory.dmp

Filesize
48KB

Download
memory/812-59-0x0000000005380000-0x00000000053EA000-memory.dmp

Filesize
424KB

Download
memory/812-55-0x00000000744CE000-0x00000000744CF000-memory.dmp

Filesize
4KB

Download
memory/848-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-67-0x0000000000310000-0x0000000000325000-memory.dmp

Filesize
84KB

Download
memory/848-66-0x000000000041F000-0x0000000000420000-memory.dmp

Filesize
4KB

Download
memory/848-65-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/848-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/848-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1388-68-0x00000000068A0000-0x00000000069E1000-memory.dmp

Filesize
1.3MB

Download
memory/1388-73-0x0000000006AC0000-0x0000000006C1B000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads