formbook | 15ac04ec28d56ae025739eb61733b091ce0c6ea9498eca607c07e2f71c702df1

General

Target

RFQ_TMZ14062020.exe
Size

242KB
MD5

051b8c8e6d62b265a1486098755c8f92
SHA1

0c4d1555f68e60702fdecd2a5efe9f92b6fc9852
SHA256

e667a864a89ee23cf61430baa3eafd40ce829dbb6b4ae31ef7a65f645cf13d2c
SHA512

40a7e97d3cf117e92a5e676927f46eaf9f22f4a96ad4d66d8fba56fab563d1ef6e4761fecf038ea62c13d760e86bba787b9a80aa870312d202a2ed12a4a29356

Score

10^/10

formbook b0y rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b0y

Decoy

studiokopa.net

captaindoggo.net

project-woodwork.com

lasvegaskosher.com

elionimali.com

cozystylekobe.com

baiyizhao.com

djaimevargas.com

getshop.today

chikkadee.com

historicnortherncolorado.com

artofbrandstorytelling.com

robinsonscommunitiesph.com

petfriendlyrentals.net

dolphinsdragonsanddinsoaurs.com

phucquangphat.com

charitydigitalnetworks.com

czhuiyue.com

thetripletwomethod.com

harvestexcitementonline.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1640-54-0x0000000000DD0000-0x0000000000E10000-memory.dmp	formbook
behavioral1/memory/956-63-0x00000000000C0000-0x00000000000ED000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1324 cmd.exe

pid	process
1324	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ_TMZ14062020.execmmon32.exe

description	pid	process	target process
PID 1640 set thread context of 1212	1640	RFQ_TMZ14062020.exe	Explorer.EXE
PID 1640 set thread context of 1212	1640	RFQ_TMZ14062020.exe	Explorer.EXE
PID 956 set thread context of 1212	956	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

RFQ_TMZ14062020.execmmon32.exe

pid	process
1640	RFQ_TMZ14062020.exe
1640	RFQ_TMZ14062020.exe
1640	RFQ_TMZ14062020.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe
956	cmmon32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RFQ_TMZ14062020.execmmon32.exe

pid process

1640 RFQ_TMZ14062020.exe
1640 RFQ_TMZ14062020.exe
1640 RFQ_TMZ14062020.exe
1640 RFQ_TMZ14062020.exe
956 cmmon32.exe
956 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RFQ_TMZ14062020.execmmon32.exe

description pid process

Token: SeDebugPrivilege 1640 RFQ_TMZ14062020.exe
Token: SeDebugPrivilege 956 cmmon32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1212 Explorer.EXE
1212 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1640	RFQ_TMZ14062020.exe
Token: SeDebugPrivilege	956	cmmon32.exe

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

pid	process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Explorer.EXEcmmon32.exe

description	pid	process	target process
PID 1212 wrote to memory of 956	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 956	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 956	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 956	1212	Explorer.EXE	cmmon32.exe
PID 1212 wrote to memory of 964	1212	Explorer.EXE	colorcpl.exe
PID 1212 wrote to memory of 964	1212	Explorer.EXE	colorcpl.exe
PID 1212 wrote to memory of 964	1212	Explorer.EXE	colorcpl.exe
PID 1212 wrote to memory of 964	1212	Explorer.EXE	colorcpl.exe
PID 956 wrote to memory of 1324	956	cmmon32.exe	cmd.exe
PID 956 wrote to memory of 1324	956	cmmon32.exe	cmd.exe
PID 956 wrote to memory of 1324	956	cmmon32.exe	cmd.exe
PID 956 wrote to memory of 1324	956	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1212

C:\Users\Admin\AppData\Local\Temp\RFQ_TMZ14062020.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ_TMZ14062020.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1640

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
2⤵
PID:964

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ_TMZ14062020.exe"
3⤵
- Deletes itself
PID:1324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/956-63-0x00000000000C0000-0x00000000000ED000-memory.dmp

Filesize
180KB

Download
memory/956-60-0x0000000000000000-mapping.dmp

Download
memory/956-62-0x0000000000300000-0x000000000030D000-memory.dmp

Filesize
52KB

Download
memory/956-64-0x0000000001FA0000-0x00000000022A3000-memory.dmp

Filesize
3.0MB

Download
memory/956-65-0x00000000004D0000-0x0000000000563000-memory.dmp

Filesize
588KB

Download
memory/1212-57-0x0000000004A60000-0x0000000004BBE000-memory.dmp

Filesize
1.4MB

Download
memory/1212-59-0x0000000004BC0000-0x0000000004D1F000-memory.dmp

Filesize
1.4MB

Download
memory/1212-66-0x0000000004D20000-0x0000000004E24000-memory.dmp

Filesize
1.0MB

Download
memory/1324-61-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000002210000-0x0000000002513000-memory.dmp

Filesize
3.0MB

Download
memory/1640-56-0x0000000000480000-0x0000000000494000-memory.dmp

Filesize
80KB

Download
memory/1640-58-0x00000000004C0000-0x00000000004D4000-memory.dmp

Filesize
80KB

Download
memory/1640-54-0x0000000000DD0000-0x0000000000E10000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads