formbook | 241937fdff6aeae4c5a60bc707c331504d4b5c8df13b97ddd2e8da2107978f0e

General

Target

PI 46788393.exe
Size

530KB
MD5

1365ef23d6453fbc22a28ee56bec858b
SHA1

c3f1def4b65bc427e791d2e285beadf5b0dfc654
SHA256

773fbca16ec67d4820654e39aaa65645f8608a8f7186f12b5ed62498ff1334c6
SHA512

35aff0f520f713c53420644f3fb92e6037614691934939781299e1350dd290b92ed4c7d1b8e7aa4ac164b9d1ffbde98838740e0ec4ce2798b93b45d44c2b6592

Score

10^/10

formbook q5e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/848-132-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/848-137-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/4676-143-0x0000000000600000-0x000000000062D000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

PI 46788393.exePI 46788393.exeipconfig.exe

description	pid	process	target process
PID 4756 set thread context of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 848 set thread context of 2684	848	PI 46788393.exe	Explorer.EXE
PID 848 set thread context of 2684	848	PI 46788393.exe	Explorer.EXE
PID 4676 set thread context of 2684	4676	ipconfig.exe	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

4676 ipconfig.exe

pid	process
4676	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

Processes:

PI 46788393.exePI 46788393.exeipconfig.exe

pid	process
4756	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe
4676	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2684 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

PI 46788393.exeipconfig.exe

pid process

848 PI 46788393.exe
848 PI 46788393.exe
848 PI 46788393.exe
848 PI 46788393.exe
4676 ipconfig.exe
4676 ipconfig.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

PI 46788393.exePI 46788393.exeipconfig.exe

description pid process

Token: SeDebugPrivilege 4756 PI 46788393.exe
Token: SeDebugPrivilege 848 PI 46788393.exe
Token: SeDebugPrivilege 4676 ipconfig.exe

pid	process
2684	Explorer.EXE

pid	process
848	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
848	PI 46788393.exe
4676	ipconfig.exe
4676	ipconfig.exe

description	pid	process
Token: SeDebugPrivilege	4756	PI 46788393.exe
Token: SeDebugPrivilege	848	PI 46788393.exe
Token: SeDebugPrivilege	4676	ipconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PI 46788393.exeExplorer.EXEipconfig.exe

description	pid	process	target process
PID 4756 wrote to memory of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 4756 wrote to memory of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 4756 wrote to memory of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 4756 wrote to memory of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 4756 wrote to memory of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 4756 wrote to memory of 848	4756	PI 46788393.exe	PI 46788393.exe
PID 2684 wrote to memory of 4676	2684	Explorer.EXE	ipconfig.exe
PID 2684 wrote to memory of 4676	2684	Explorer.EXE	ipconfig.exe
PID 2684 wrote to memory of 4676	2684	Explorer.EXE	ipconfig.exe
PID 4676 wrote to memory of 4564	4676	ipconfig.exe	cmd.exe
PID 4676 wrote to memory of 4564	4676	ipconfig.exe	cmd.exe
PID 4676 wrote to memory of 4564	4676	ipconfig.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2684

C:\Users\Admin\AppData\Local\Temp\PI 46788393.exe
"C:\Users\Admin\AppData\Local\Temp\PI 46788393.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4756

C:\Users\Admin\AppData\Local\Temp\PI 46788393.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:848

C:\Windows\SysWOW64\ipconfig.exe
"C:\Windows\SysWOW64\ipconfig.exe"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PI 46788393.exe"
3⤵
PID:4564

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/848-131-0x0000000000000000-mapping.dmp

Download
memory/848-132-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/848-133-0x0000000000FD0000-0x000000000131A000-memory.dmp

Filesize
3.3MB

Download
memory/848-135-0x0000000000AF0000-0x0000000000B04000-memory.dmp

Filesize
80KB

Download
memory/848-138-0x0000000000F70000-0x0000000000F84000-memory.dmp

Filesize
80KB

Download
memory/2684-139-0x0000000002F20000-0x0000000002FFF000-memory.dmp

Filesize
892KB

Download
memory/2684-136-0x00000000082A0000-0x0000000008443000-memory.dmp

Filesize
1.6MB

Download
memory/2684-146-0x0000000008560000-0x00000000086D8000-memory.dmp

Filesize
1.5MB

Download
memory/4564-141-0x0000000000000000-mapping.dmp

Download
memory/4676-140-0x0000000000000000-mapping.dmp

Download
memory/4676-142-0x00000000003F0000-0x00000000003FB000-memory.dmp

Filesize
44KB

Download
memory/4676-143-0x0000000000600000-0x000000000062D000-memory.dmp

Filesize
180KB

Download
memory/4676-144-0x0000000000D50000-0x000000000109A000-memory.dmp

Filesize
3.3MB

Download
memory/4676-145-0x0000000000BF0000-0x0000000000C83000-memory.dmp

Filesize
588KB

Download
memory/4756-130-0x0000000074650000-0x0000000074C01000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads