formbook | 365876fb9df710d6479e62ba3e5d95e524018c5fa0a37ccf9f674ff23dc6fb9d

General

Target

order SEP.exe
Size

394KB
MD5

7e17022d4cb372a3a853feedcd918d90
SHA1

ad69c5d385a4d7156c8ff3eeb2379739c53ded02
SHA256

3a7e2e98243c188fbda3734b22856c30febb41d1f7e0ddbc034906288aa72dae
SHA512

0fa20e95892462768517fbacf5df0b62258d9a8f9f5bab521962571b49a9d50353042e48cbf2bc2ff1af300d62adfbe9cf34d3ea4e92eb0b8d090ccbd7c00692

Score

10^/10

formbook g8u rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

g8u

Decoy

stuition.com

mj-sculpture.com

cannatainmentevents.com

dianjintang.com

rmlusitania.info

effet-spiruline.com

flatheme.com

supergaminator-vip.com

craftyourmagic.com

lakai.ltd

electionshawaii.com

iqpdct.com

thebestfourstarhotels.com

satoshiceo.com

saintmartiner.com

brothersmarinetoronto.com

citicoin.online

scentsationalsniffers.com

hellonighbourgameees.com

displayonline-france.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4392-135-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4416-143-0x0000000000710000-0x000000000073D000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

order SEP.exeorder SEP.exesvchost.exe

description	pid	process	target process
PID 4240 set thread context of 4392	4240	order SEP.exe	order SEP.exe
PID 4392 set thread context of 3232	4392	order SEP.exe	Explorer.EXE
PID 4416 set thread context of 3232	4416	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

order SEP.exeorder SEP.exesvchost.exe

pid	process
4240	order SEP.exe
4240	order SEP.exe
4240	order SEP.exe
4392	order SEP.exe
4392	order SEP.exe
4392	order SEP.exe
4392	order SEP.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe
4416	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3232 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

order SEP.exesvchost.exe

pid process

4392 order SEP.exe
4392 order SEP.exe
4392 order SEP.exe
4416 svchost.exe
4416 svchost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

order SEP.exeorder SEP.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4240 order SEP.exe
Token: SeDebugPrivilege 4392 order SEP.exe
Token: SeDebugPrivilege 4416 svchost.exe

pid	process
3232	Explorer.EXE

pid	process
4392	order SEP.exe
4392	order SEP.exe
4392	order SEP.exe
4416	svchost.exe
4416	svchost.exe

description	pid	process
Token: SeDebugPrivilege	4240	order SEP.exe
Token: SeDebugPrivilege	4392	order SEP.exe
Token: SeDebugPrivilege	4416	svchost.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

order SEP.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4240 wrote to memory of 4392	4240	order SEP.exe	order SEP.exe
PID 4240 wrote to memory of 4392	4240	order SEP.exe	order SEP.exe
PID 4240 wrote to memory of 4392	4240	order SEP.exe	order SEP.exe
PID 4240 wrote to memory of 4392	4240	order SEP.exe	order SEP.exe
PID 4240 wrote to memory of 4392	4240	order SEP.exe	order SEP.exe
PID 4240 wrote to memory of 4392	4240	order SEP.exe	order SEP.exe
PID 3232 wrote to memory of 4416	3232	Explorer.EXE	svchost.exe
PID 3232 wrote to memory of 4416	3232	Explorer.EXE	svchost.exe
PID 3232 wrote to memory of 4416	3232	Explorer.EXE	svchost.exe
PID 4416 wrote to memory of 1364	4416	svchost.exe	cmd.exe
PID 4416 wrote to memory of 1364	4416	svchost.exe	cmd.exe
PID 4416 wrote to memory of 1364	4416	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3232

C:\Users\Admin\AppData\Local\Temp\order SEP.exe
"C:\Users\Admin\AppData\Local\Temp\order SEP.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4240

C:\Users\Admin\AppData\Local\Temp\order SEP.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\order SEP.exe"
3⤵
PID:1364

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1364-141-0x0000000000000000-mapping.dmp

Download
memory/3232-139-0x00000000022C0000-0x000000000239B000-memory.dmp

Filesize
876KB

Download
memory/3232-146-0x00000000023D0000-0x00000000024CD000-memory.dmp

Filesize
1012KB

Download
memory/4240-131-0x0000000008220000-0x00000000087C4000-memory.dmp

Filesize
5.6MB

Download
memory/4240-132-0x0000000007E50000-0x0000000007EE2000-memory.dmp

Filesize
584KB

Download
memory/4240-133-0x0000000007F90000-0x000000000802C000-memory.dmp

Filesize
624KB

Download
memory/4240-130-0x0000000000B80000-0x0000000000BE8000-memory.dmp

Filesize
416KB

Download
memory/4392-134-0x0000000000000000-mapping.dmp

Download
memory/4392-138-0x0000000001240000-0x0000000001254000-memory.dmp

Filesize
80KB

Download
memory/4392-136-0x00000000012D0000-0x000000000161A000-memory.dmp

Filesize
3.3MB

Download
memory/4392-135-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/4416-140-0x0000000000000000-mapping.dmp

Download
memory/4416-143-0x0000000000710000-0x000000000073D000-memory.dmp

Filesize
180KB

Download
memory/4416-142-0x0000000000C20000-0x0000000000C2E000-memory.dmp

Filesize
56KB

Download
memory/4416-144-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/4416-145-0x00000000012A0000-0x0000000001333000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads