formbook | 8b32a471a19e78217ba94e7663567c3b1b1d86090df2febfb00bc2bd76b1e66a

General

Target

stud.exe
Size

755KB
MD5

6044900d66376321ad6f237d1b465ecc
SHA1

0147db0583256b648680a54573b288f9167cca67
SHA256

9099123ab27c467c09e2483339756820e29e6d8cd3d0346305d3873902e4af65
SHA512

03fdca6dfdccc2a17abbfb42adfb5a89a5e2a32b9929efde0689da17967db406dd55f057162d2324605254c354130c8b73077fa9bc4bf23053878ffc5f239076

Score

10^/10

formbook asa2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

asa2

Decoy

kznbf.info

dl-today.com

jiucai1688.com

makrobet508.com

xjyyjx.com

xn--riqq15a1oh5j5a.com

ecotrait.com

668opebet.com

lucyloveboutique.com

suddenslim.com

mettsing.com

0pe816.com

expressionsofebony.com

ripleychurchofchrist.com

cwinterim.com

qilu129.com

enoteca17.com

itbpolice.com

shoulderworkmassage.com

02lh.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/624-63-0x0000000000090000-0x00000000000BD000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe

pid	process
1696	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

stud.exestud.exewuapp.exe

description	pid	process	target process
PID 1376 set thread context of 1792	1376	stud.exe	stud.exe
PID 1792 set thread context of 1256	1792	stud.exe	Explorer.EXE
PID 624 set thread context of 1256	624	wuapp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

stud.exestud.exewuapp.exe

pid	process
1376	stud.exe
1792	stud.exe
1792	stud.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe
624	wuapp.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

stud.exestud.exewuapp.exe

pid process

1376 stud.exe
1792 stud.exe
1792 stud.exe
1792 stud.exe
624 wuapp.exe
624 wuapp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

stud.exewuapp.exe

description pid process

Token: SeDebugPrivilege 1792 stud.exe
Token: SeDebugPrivilege 624 wuapp.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
1256 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1792	stud.exe
Token: SeDebugPrivilege	624	wuapp.exe

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

pid	process
1256	Explorer.EXE
1256	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

stud.exeExplorer.EXEwuapp.exe

description	pid	process	target process
PID 1376 wrote to memory of 1792	1376	stud.exe	stud.exe
PID 1376 wrote to memory of 1792	1376	stud.exe	stud.exe
PID 1376 wrote to memory of 1792	1376	stud.exe	stud.exe
PID 1376 wrote to memory of 1792	1376	stud.exe	stud.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 1256 wrote to memory of 624	1256	Explorer.EXE	wuapp.exe
PID 624 wrote to memory of 1696	624	wuapp.exe	cmd.exe
PID 624 wrote to memory of 1696	624	wuapp.exe	cmd.exe
PID 624 wrote to memory of 1696	624	wuapp.exe	cmd.exe
PID 624 wrote to memory of 1696	624	wuapp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Users\Admin\AppData\Local\Temp\stud.exe
  "C:\Users\Admin\AppData\Local\Temp\stud.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\stud.exe
    "C:\Users\Admin\AppData\Local\Temp\stud.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1792
- C:\Windows\SysWOW64\autochk.exe
  "C:\Windows\SysWOW64\autochk.exe"
  2⤵
  PID:580
- C:\Windows\SysWOW64\wuapp.exe
  "C:\Windows\SysWOW64\wuapp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:624
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\stud.exe"
    3⤵
    - Deletes itself
    PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/624-63-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/624-60-0x0000000000000000-mapping.dmp

Download
memory/624-62-0x0000000000F20000-0x0000000000F2B000-memory.dmp

Filesize
44KB

Download
memory/624-64-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/624-65-0x0000000000D60000-0x0000000000DF3000-memory.dmp

Filesize
588KB

Download
memory/1256-59-0x0000000004C30000-0x0000000004D41000-memory.dmp

Filesize
1.1MB

Download
memory/1256-66-0x0000000004960000-0x0000000004A44000-memory.dmp

Filesize
912KB

Download
memory/1376-56-0x0000000000400000-0x00000000004C3000-memory.dmp

Filesize
780KB

Download
memory/1376-54-0x0000000075AE1000-0x0000000075AE3000-memory.dmp

Filesize
8KB

Download
memory/1696-61-0x0000000000000000-mapping.dmp

Download
memory/1792-55-0x000000000041E2A0-mapping.dmp

Download
memory/1792-57-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1792-58-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads