formbook | 9b08add787ee884a3e2a0953cc6447fe394a544971aa17746275d2aa5e13690f

General

Target

Alpha 7763826639.exe
Size

496KB
MD5

9e3db9c40093f7a159827ab2a9de640e
SHA1

e9a5ae757342e4ac6d21bc0e33f0e703104dcf03
SHA256

31f02d35e3e941b42298936bd026b39a5d682825bc4b4277945f9f0143617931
SHA512

6a57ac5b688e2bc8a0a24230bdf60a3146216e54a986ba0c6083b400582e5f94ba6dcd14b95458f8a1bef53076ba32d74d663222e7e82600d454c720134adda1

Score

10^/10

formbook q5e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/704-135-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4400-143-0x00000000001D0000-0x00000000001FD000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Alpha 7763826639.exeAlpha 7763826639.execmd.exe

description	pid	process	target process
PID 3308 set thread context of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 704 set thread context of 3252	704	Alpha 7763826639.exe	Explorer.EXE
PID 4400 set thread context of 3252	4400	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

Alpha 7763826639.exeAlpha 7763826639.execmd.exe

pid	process
3308	Alpha 7763826639.exe
3308	Alpha 7763826639.exe
3308	Alpha 7763826639.exe
3308	Alpha 7763826639.exe
3308	Alpha 7763826639.exe
3308	Alpha 7763826639.exe
3308	Alpha 7763826639.exe
704	Alpha 7763826639.exe
704	Alpha 7763826639.exe
704	Alpha 7763826639.exe
704	Alpha 7763826639.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe
4400	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3252 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Alpha 7763826639.execmd.exe

pid process

704 Alpha 7763826639.exe
704 Alpha 7763826639.exe
704 Alpha 7763826639.exe
4400 cmd.exe
4400 cmd.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Alpha 7763826639.exeAlpha 7763826639.execmd.exe

description pid process

Token: SeDebugPrivilege 3308 Alpha 7763826639.exe
Token: SeDebugPrivilege 704 Alpha 7763826639.exe
Token: SeDebugPrivilege 4400 cmd.exe

pid	process
3252	Explorer.EXE

pid	process
704	Alpha 7763826639.exe
704	Alpha 7763826639.exe
704	Alpha 7763826639.exe
4400	cmd.exe
4400	cmd.exe

description	pid	process
Token: SeDebugPrivilege	3308	Alpha 7763826639.exe
Token: SeDebugPrivilege	704	Alpha 7763826639.exe
Token: SeDebugPrivilege	4400	cmd.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Alpha 7763826639.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 3308 wrote to memory of 444	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 444	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 444	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 2496	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 2496	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 2496	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 980	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 980	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 980	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3308 wrote to memory of 704	3308	Alpha 7763826639.exe	Alpha 7763826639.exe
PID 3252 wrote to memory of 4400	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 4400	3252	Explorer.EXE	cmd.exe
PID 3252 wrote to memory of 4400	3252	Explorer.EXE	cmd.exe
PID 4400 wrote to memory of 4344	4400	cmd.exe	cmd.exe
PID 4400 wrote to memory of 4344	4400	cmd.exe	cmd.exe
PID 4400 wrote to memory of 4344	4400	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3252

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"{path}"
3⤵
PID:444

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"{path}"
3⤵
PID:2496

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"{path}"
3⤵
PID:980

C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:704

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4400

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Alpha 7763826639.exe"
3⤵
PID:4344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/444-131-0x0000000000000000-mapping.dmp

Download
memory/704-138-0x00000000012E0000-0x00000000012F4000-memory.dmp

Filesize
80KB

Download
memory/704-134-0x0000000000000000-mapping.dmp

Download
memory/704-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/704-136-0x0000000000EA0000-0x00000000011EA000-memory.dmp

Filesize
3.3MB

Download
memory/980-133-0x0000000000000000-mapping.dmp

Download
memory/2496-132-0x0000000000000000-mapping.dmp

Download
memory/3252-139-0x0000000002B00000-0x0000000002BEC000-memory.dmp

Filesize
944KB

Download
memory/3252-146-0x00000000084F0000-0x000000000860C000-memory.dmp

Filesize
1.1MB

Download
memory/3308-130-0x0000000075000000-0x00000000755B1000-memory.dmp

Filesize
5.7MB

Download
memory/4344-141-0x0000000000000000-mapping.dmp

Download
memory/4400-140-0x0000000000000000-mapping.dmp

Download
memory/4400-142-0x0000000000C20000-0x0000000000C7A000-memory.dmp

Filesize
360KB

Download
memory/4400-143-0x00000000001D0000-0x00000000001FD000-memory.dmp

Filesize
180KB

Download
memory/4400-144-0x0000000000E30000-0x000000000117A000-memory.dmp

Filesize
3.3MB

Download
memory/4400-145-0x0000000000C80000-0x0000000000D13000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads