formbook | fe272bc2bdf59b23e1ff41b5aba9243faa18a92d3a3198924ffeb167e1a4236a

General

Target

009888389998789290000-pdf.exe
Size

876KB
MD5

c4dc14e8754c36300ae98fa8b4369a40
SHA1

9cd8e279dff02db6ffb9199cf6cb4ff5fc07cc37
SHA256

c303fb93eba5623184f5bfb8fefbea2458e25ead795e6d5c5d5e78e921c6490e
SHA512

ba4280059eb153941d0c06533542a10d25f5c95c45bbebce620f042560df2557e1eae6ea3a405d6663c9552eb8dc49bb1cfccb2659e834a06fac4587373c7382

Score

10^/10

formbook hm2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

hm2

Decoy

vodu.ltd

arauderghem.net

bluebackpage.com

cheapairmaxsaleclearance.com

soldiersofarts.com

fbservice.info

x9e7x7.info

davidhenkel.com

plantrak.net

66sbleiv.com

cartierringprice.com

roupeiroblog.com

thxcn.com

baboondynasty.win

thecloudm.com

everythingreviews.net

zimmermansales.net

movie.kitchen

im.help

geebzor.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4448-138-0x0000000000B30000-0x0000000000B5A000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

009888389998789290000-pdf.exe009888389998789290000-pdf.exemstsc.exe

description	pid	process	target process
PID 5088 set thread context of 852	5088	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 852 set thread context of 796	852	009888389998789290000-pdf.exe	Explorer.EXE
PID 4448 set thread context of 796	4448	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

009888389998789290000-pdf.exe009888389998789290000-pdf.exemstsc.exe

pid	process
5088	009888389998789290000-pdf.exe
5088	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe
4448	mstsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

796 Explorer.EXE

pid	process
796	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

009888389998789290000-pdf.exe009888389998789290000-pdf.exemstsc.exe

pid	process
5088	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
852	009888389998789290000-pdf.exe
4448	mstsc.exe
4448	mstsc.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

009888389998789290000-pdf.exemstsc.exe

description pid process

Token: SeDebugPrivilege 852 009888389998789290000-pdf.exe
Token: SeDebugPrivilege 4448 mstsc.exe

description	pid	process
Token: SeDebugPrivilege	852	009888389998789290000-pdf.exe
Token: SeDebugPrivilege	4448	mstsc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

009888389998789290000-pdf.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 5088 wrote to memory of 852	5088	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 5088 wrote to memory of 852	5088	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 5088 wrote to memory of 852	5088	009888389998789290000-pdf.exe	009888389998789290000-pdf.exe
PID 796 wrote to memory of 4448	796	Explorer.EXE	mstsc.exe
PID 796 wrote to memory of 4448	796	Explorer.EXE	mstsc.exe
PID 796 wrote to memory of 4448	796	Explorer.EXE	mstsc.exe
PID 4448 wrote to memory of 4192	4448	mstsc.exe	cmd.exe
PID 4448 wrote to memory of 4192	4448	mstsc.exe	cmd.exe
PID 4448 wrote to memory of 4192	4448	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:796
- C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:5088
- - C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:852
- C:\Windows\SysWOW64\mstsc.exe
  "C:\Windows\SysWOW64\mstsc.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4448
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\009888389998789290000-pdf.exe"
    3⤵
    PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/796-134-0x0000000002CB0000-0x0000000002E1E000-memory.dmp

Filesize
1.4MB

Download
memory/796-141-0x0000000008970000-0x0000000008A89000-memory.dmp

Filesize
1.1MB

Download
memory/852-130-0x0000000000000000-mapping.dmp

Download
memory/852-132-0x0000000000A80000-0x0000000000DCA000-memory.dmp

Filesize
3.3MB

Download
memory/852-133-0x00000000009C0000-0x00000000009D4000-memory.dmp

Filesize
80KB

Download
memory/4192-136-0x0000000000000000-mapping.dmp

Download
memory/4448-135-0x0000000000000000-mapping.dmp

Download
memory/4448-137-0x0000000000C20000-0x0000000000D5A000-memory.dmp

Filesize
1.2MB

Download
memory/4448-138-0x0000000000B30000-0x0000000000B5A000-memory.dmp

Filesize
168KB

Download
memory/4448-139-0x0000000002E30000-0x000000000317A000-memory.dmp

Filesize
3.3MB

Download
memory/4448-140-0x0000000002D60000-0x0000000002DF3000-memory.dmp

Filesize
588KB

Download
memory/5088-131-0x00000000006E0000-0x00000000006E9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads