formbook | 9b08add787ee884a3e2a0953cc6447fe394a544971aa17746275d2aa5e13690f

General

Target

Alpha 7763826639.exe
Size

496KB
MD5

9e3db9c40093f7a159827ab2a9de640e
SHA1

e9a5ae757342e4ac6d21bc0e33f0e703104dcf03
SHA256

31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931
SHA512

6a57ac5b688e2bc8a0a24230bdf60a3146216e54a986ba0c6083b400582e5f94ba6dcd14b95458f8a1bef53076ba32d74d663222e7e82600d454c720134adda1

Score

10^/10

formbook q5e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/976-59-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/976-60-0x000000000041E2A0-mapping.dmp	formbook
behavioral1/memory/976-62-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1092-70-0x0000000000080000-0x00000000000AD000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2040 cmd.exe

pid	process
2040	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Alpha 7763826639.exeAlpha 7763826639.execontrol.exe

description	pid	process	target process
PID 1548 set thread context of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 976 set thread context of 1268	976	Alpha 7763826639.exe	Explorer.EXE
PID 1092 set thread context of 1268	1092	control.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

Alpha 7763826639.exeAlpha 7763826639.execontrol.exe

pid	process
1548	Alpha 7763826639.exe
976	Alpha 7763826639.exe
976	Alpha 7763826639.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe
1092	control.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Alpha 7763826639.execontrol.exe

pid process

976 Alpha 7763826639.exe
976 Alpha 7763826639.exe
976 Alpha 7763826639.exe
1092 control.exe
1092 control.exe

pid	process
976	Alpha 7763826639.exe
976	Alpha 7763826639.exe
976	Alpha 7763826639.exe
1092	control.exe
1092	control.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Alpha 7763826639.exeAlpha 7763826639.execontrol.exe

description	pid	process
Token: SeDebugPrivilege	1548	Alpha 7763826639.exe
Token: SeDebugPrivilege	976	Alpha 7763826639.exe
Token: SeDebugPrivilege	1092	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1268 Explorer.EXE
1268 Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

pid	process
1268	Explorer.EXE
1268	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Alpha 7763826639.exeExplorer.EXEcontrol.exe

description	pid	process	target process
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1548 wrote to memory of 976	1548	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 1268 wrote to memory of 1092	1268	Explorer.EXE	control.exe
PID 1268 wrote to memory of 1092	1268	Explorer.EXE	control.exe
PID 1268 wrote to memory of 1092	1268	Explorer.EXE	control.exe
PID 1268 wrote to memory of 1092	1268	Explorer.EXE	control.exe
PID 1092 wrote to memory of 2040	1092	control.exe	cmd.exe
PID 1092 wrote to memory of 2040	1092	control.exe	cmd.exe
PID 1092 wrote to memory of 2040	1092	control.exe	cmd.exe
PID 1092 wrote to memory of 2040	1092	control.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1268

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1548

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:976

C:\Windows\SysWOW64\control.exe
"C:\Windows\SysWOW64\control.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1092

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"
3⤵
- Deletes itself
PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/976-64-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/976-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/976-63-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/976-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/976-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/976-60-0x000000000041E2A0-mapping.dmp

Download
memory/976-62-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1092-66-0x0000000000000000-mapping.dmp

Download
memory/1092-69-0x0000000000AA0000-0x0000000000ABF000-memory.dmp

Filesize
124KB

Download
memory/1092-70-0x0000000000080000-0x00000000000AD000-memory.dmp

Filesize
180KB

Download
memory/1092-71-0x0000000002050000-0x0000000002353000-memory.dmp

Filesize
3.0MB

Download
memory/1092-72-0x0000000000860000-0x00000000008F3000-memory.dmp

Filesize
588KB

Download
memory/1268-65-0x0000000006C20000-0x0000000006D90000-memory.dmp

Filesize
1.4MB

Download
memory/1268-73-0x0000000004B60000-0x0000000004C1E000-memory.dmp

Filesize
760KB

Download
memory/1548-55-0x0000000074300000-0x00000000748AB000-memory.dmp

Filesize
5.7MB

Download
memory/1548-54-0x0000000075701000-0x0000000075703000-memory.dmp

Filesize
8KB

Download
memory/2040-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads