formbook | c1faff57e041b52c6dc2a251eb60521621fc796330169d4e5b04a6e84cf49bf2

General

Target

Me jpg jpg jpg jpg jpg.exe
Size

794KB
MD5

2ede82a76d48e1a1cf3d3c55b18db290
SHA1

854589e5ea918e9033e56216a7f3d6bfd6dec59a
SHA256

f1c80232eaed26af259c818427b444f12057b9329804da8ded13ec9fd20d3413
SHA512

1e0deaf9afeed65367f7b0d04cc413449331820b03bd075dbadc1a593842ce3dc7f868ccee5aa7af32cc528d01558f5251313f938d1bc5a431f71ca0fe1f409a

Score

10^/10

formbook hha rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hha

Decoy

atarairdive.com

binanca.com

krepostta-sofia.com

chiangmaipartys.com

bestglobalseo.com

rdsri.com

immaginaeventi.com

lushrox.com

kenderia.com

goldenbrownacademy.com

kiddyquest.com

cs-support.online

magicovino.com

banderasacuadros.com

originalducatispareparts.com

tfpfleet.com

wickedmaple.com

fasypeoplesearch.com

zggwpmwdcp.com

boav11.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral6/memory/5024-137-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral6/memory/5024-142-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral6/memory/4212-148-0x00000000006C0000-0x00000000006ED000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

Me jpg jpg jpg jpg jpg.exeMe jpg jpg jpg jpg jpg.exeNETSTAT.EXE

description	pid	process	target process
PID 872 set thread context of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 5024 set thread context of 3104	5024	Me jpg jpg jpg jpg jpg.exe	Explorer.EXE
PID 5024 set thread context of 3104	5024	Me jpg jpg jpg jpg jpg.exe	Explorer.EXE
PID 4212 set thread context of 3104	4212	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

NETSTAT.EXE

pid process

4212 NETSTAT.EXE

pid	process
4212	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Me jpg jpg jpg jpg jpg.exeNETSTAT.EXE

pid	process
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE
4212	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3104 Explorer.EXE

pid	process
3104	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Me jpg jpg jpg jpg jpg.exeNETSTAT.EXE

pid	process
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
5024	Me jpg jpg jpg jpg jpg.exe
4212	NETSTAT.EXE
4212	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Me jpg jpg jpg jpg jpg.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 5024 Me jpg jpg jpg jpg jpg.exe
Token: SeDebugPrivilege 4212 NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	5024	Me jpg jpg jpg jpg jpg.exe
Token: SeDebugPrivilege	4212	NETSTAT.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Me jpg jpg jpg jpg jpg.exeExplorer.EXEMe jpg jpg jpg jpg jpg.exeNETSTAT.EXE

description	pid	process	target process
PID 872 wrote to memory of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 872 wrote to memory of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 872 wrote to memory of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 872 wrote to memory of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 872 wrote to memory of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 872 wrote to memory of 5024	872	Me jpg jpg jpg jpg jpg.exe	Me jpg jpg jpg jpg jpg.exe
PID 3104 wrote to memory of 2932	3104	Explorer.EXE	colorcpl.exe
PID 3104 wrote to memory of 2932	3104	Explorer.EXE	colorcpl.exe
PID 3104 wrote to memory of 2932	3104	Explorer.EXE	colorcpl.exe
PID 5024 wrote to memory of 4212	5024	Me jpg jpg jpg jpg jpg.exe	NETSTAT.EXE
PID 5024 wrote to memory of 4212	5024	Me jpg jpg jpg jpg jpg.exe	NETSTAT.EXE
PID 5024 wrote to memory of 4212	5024	Me jpg jpg jpg jpg jpg.exe	NETSTAT.EXE
PID 4212 wrote to memory of 820	4212	NETSTAT.EXE	cmd.exe
PID 4212 wrote to memory of 820	4212	NETSTAT.EXE	cmd.exe
PID 4212 wrote to memory of 820	4212	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3104
- C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg jpg.exe
  "C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg jpg.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg jpg.exe
    "C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg jpg.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5024
  - - C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      4⤵
      Suspicious use of SetThreadContext
      Gathers network information
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4212
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\Me jpg jpg jpg jpg jpg.exe"
        5⤵
        
        PID:820
- C:\Windows\SysWOW64\colorcpl.exe
  "C:\Windows\SysWOW64\colorcpl.exe"
  2⤵
  PID:2932

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/820-146-0x0000000000000000-mapping.dmp

Download
memory/872-135-0x00000000056B0000-0x0000000005706000-memory.dmp

Filesize
344KB

Download
memory/872-133-0x00000000055B0000-0x0000000005642000-memory.dmp

Filesize
584KB

Download
memory/872-134-0x0000000005540000-0x000000000554A000-memory.dmp

Filesize
40KB

Download
memory/872-130-0x0000000000A40000-0x0000000000B0C000-memory.dmp

Filesize
816KB

Download
memory/872-131-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download
memory/872-132-0x0000000005AC0000-0x0000000006064000-memory.dmp

Filesize
5.6MB

Download
memory/3104-144-0x0000000007EF0000-0x0000000008042000-memory.dmp

Filesize
1.3MB

Download
memory/3104-141-0x00000000025F0000-0x0000000002731000-memory.dmp

Filesize
1.3MB

Download
memory/3104-151-0x0000000002830000-0x00000000028FA000-memory.dmp

Filesize
808KB

Download
memory/4212-145-0x0000000000000000-mapping.dmp

Download
memory/4212-149-0x0000000000F30000-0x000000000127A000-memory.dmp

Filesize
3.3MB

Download
memory/4212-147-0x0000000000D70000-0x0000000000D7B000-memory.dmp

Filesize
44KB

Download
memory/4212-148-0x00000000006C0000-0x00000000006ED000-memory.dmp

Filesize
180KB

Download
memory/4212-150-0x0000000000D80000-0x0000000000E13000-memory.dmp

Filesize
588KB

Download
memory/5024-138-0x00000000017B0000-0x0000000001AFA000-memory.dmp

Filesize
3.3MB

Download
memory/5024-143-0x0000000001B20000-0x0000000001B34000-memory.dmp

Filesize
80KB

Download
memory/5024-142-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5024-137-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/5024-136-0x0000000000000000-mapping.dmp

Download
memory/5024-140-0x0000000001770000-0x0000000001784000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads