formbook | a358e0ac42cc7258d72ea98605bd22a1bbdc15e0f9421849956fcb7b08da34fa

General

Target

REQUERIDA.exe
Size

500KB
MD5

e07d5b6d29e7cae1ea8546b4783601b8
SHA1

d5c823bdee28ccf2bd18e683eca270d6c031cb72
SHA256

3ec51daa2ad133cfcdce1ffca7081f96ee58d9b5c2d302cee732e6e2cc3d8cc6
SHA512

adf6f6b1a142d17df561d7181c6d4a1e3d6b8663fdfde5f2ae72459cadd63f7daf72a6d6d5233071a2af9a7be7f2f7a10d05aabe20db258826bcf2b401e5124c

Score

10^/10

formbook m5gz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m5gz

Decoy

provtanks.com

partybuskingz.com

viewtechborescopes.com

larepco.info

lacuartetera.net

rpueuetd.com

maximalneoptimalne.com

gravitywavegame.com

kencoxvaspecialist.com

mein-markisenland-ev.com

cannachocolata.com

themeatsheet.com

emarketschool.com

fastinternet.systems

fxqlf.com

pixanliber.com

omgree.com

delraybees.com

hbamicrosupport.com

ginlj.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3164-136-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/3404-143-0x0000000000350000-0x000000000037D000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

REQUERIDA.exeREQUERIDA.execmstp.exe

description	pid	process	target process
PID 3816 set thread context of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3164 set thread context of 3120	3164	REQUERIDA.exe	Explorer.EXE
PID 3404 set thread context of 3120	3404	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 37 IoCs

Processes:

REQUERIDA.exeREQUERIDA.execmstp.exe

pid	process
3816	REQUERIDA.exe
3816	REQUERIDA.exe
3816	REQUERIDA.exe
3164	REQUERIDA.exe
3164	REQUERIDA.exe
3164	REQUERIDA.exe
3164	REQUERIDA.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe
3404	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3120 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

REQUERIDA.execmstp.exe

pid process

3164 REQUERIDA.exe
3164 REQUERIDA.exe
3164 REQUERIDA.exe
3404 cmstp.exe
3404 cmstp.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

REQUERIDA.exeREQUERIDA.execmstp.exe

description pid process

Token: SeDebugPrivilege 3816 REQUERIDA.exe
Token: SeDebugPrivilege 3164 REQUERIDA.exe
Token: SeDebugPrivilege 3404 cmstp.exe

pid	process
3120	Explorer.EXE

pid	process
3164	REQUERIDA.exe
3164	REQUERIDA.exe
3164	REQUERIDA.exe
3404	cmstp.exe
3404	cmstp.exe

description	pid	process
Token: SeDebugPrivilege	3816	REQUERIDA.exe
Token: SeDebugPrivilege	3164	REQUERIDA.exe
Token: SeDebugPrivilege	3404	cmstp.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

REQUERIDA.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 3816 wrote to memory of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3816 wrote to memory of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3816 wrote to memory of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3816 wrote to memory of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3816 wrote to memory of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3816 wrote to memory of 3164	3816	REQUERIDA.exe	REQUERIDA.exe
PID 3120 wrote to memory of 3404	3120	Explorer.EXE	cmstp.exe
PID 3120 wrote to memory of 3404	3120	Explorer.EXE	cmstp.exe
PID 3120 wrote to memory of 3404	3120	Explorer.EXE	cmstp.exe
PID 3404 wrote to memory of 1068	3404	cmstp.exe	cmd.exe
PID 3404 wrote to memory of 1068	3404	cmstp.exe	cmd.exe
PID 3404 wrote to memory of 1068	3404	cmstp.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\REQUERIDA.exe
"C:\Users\Admin\AppData\Local\Temp\REQUERIDA.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3816

C:\Users\Admin\AppData\Local\Temp\REQUERIDA.exe
"C:\Users\Admin\AppData\Local\Temp\REQUERIDA.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3164

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3120

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3404

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\REQUERIDA.exe"
3⤵
PID:1068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1068-144-0x0000000000000000-mapping.dmp

Download
memory/3120-147-0x0000000008510000-0x0000000008613000-memory.dmp

Filesize
1.0MB

Download
memory/3120-140-0x0000000003200000-0x0000000003349000-memory.dmp

Filesize
1.3MB

Download
memory/3164-139-0x0000000001950000-0x0000000001964000-memory.dmp

Filesize
80KB

Download
memory/3164-138-0x00000000019C0000-0x0000000001D0A000-memory.dmp

Filesize
3.3MB

Download
memory/3164-135-0x0000000000000000-mapping.dmp

Download
memory/3164-136-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3404-142-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download
memory/3404-141-0x0000000000000000-mapping.dmp

Download
memory/3404-143-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/3404-145-0x00000000025A0000-0x00000000028EA000-memory.dmp

Filesize
3.3MB

Download
memory/3404-146-0x0000000000E70000-0x0000000000F03000-memory.dmp

Filesize
588KB

Download
memory/3816-134-0x0000000007C60000-0x0000000007C6A000-memory.dmp

Filesize
40KB

Download
memory/3816-133-0x0000000007D50000-0x0000000007DEC000-memory.dmp

Filesize
624KB

Download
memory/3816-130-0x0000000000B10000-0x0000000000B94000-memory.dmp

Filesize
528KB

Download
memory/3816-131-0x0000000008080000-0x0000000008624000-memory.dmp

Filesize
5.6MB

Download
memory/3816-132-0x0000000007CB0000-0x0000000007D42000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads