formbook | 745e00e4a43761d5c4be5e29a539cda4e8ca2a45755b44e35321ced4a8d400c3

General

Target

YEw0N670fLb3Qwz.exe
Size

445KB
MD5

767febc4e7ba132342b5271a06a370c8
SHA1

3997eb76ba7da530ef6624d37d6218bf89400159
SHA256

0b6acf8d9861c0c69b88b7a7bf1427c5245bbd968e96db1cdb08b8432442c729
SHA512

5d3ff4c987aa5dce84b2ef944214149a2e1723f140182331e5693fc548fbb3c6026a55dc37eeb4ccc55b1173a76c9bebf0d3d7f26179ef99583fc2abf32d5120

Score

10^/10

formbook cdm rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

cdm

Decoy

ldren.net

smtpsystem.com

elbastonazul.com

clickmailservice.com

housesearch.today

jingwei-pingtai.com

briankarenontour.com

wwwjinsha520.com

greenhouseci.net

cyberexpo.events

soundepict.com

hansardtracker.com

abenaasare.net

policemoviefestival.com

cryptocurrencyrocks.money

carliequinnesthetician.com

finestmilan.com

diclar.com

thependletonsurfclub.com

raku.party

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2024-62-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2024-63-0x000000000041E2F0-mapping.dmp	formbook
behavioral1/memory/2024-65-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2036-72-0x00000000000B0000-0x00000000000DD000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1376 cmd.exe

pid	process
1376	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

YEw0N670fLb3Qwz.exeYEw0N670fLb3Qwz.execmstp.exe

description	pid	process	target process
PID 1652 set thread context of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 2024 set thread context of 1252	2024	YEw0N670fLb3Qwz.exe	Explorer.EXE
PID 2036 set thread context of 1252	2036	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

YEw0N670fLb3Qwz.exeYEw0N670fLb3Qwz.execmstp.exe

pid	process
1652	YEw0N670fLb3Qwz.exe
1652	YEw0N670fLb3Qwz.exe
2024	YEw0N670fLb3Qwz.exe
2024	YEw0N670fLb3Qwz.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe
2036	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

YEw0N670fLb3Qwz.execmstp.exe

pid process

2024 YEw0N670fLb3Qwz.exe
2024 YEw0N670fLb3Qwz.exe
2024 YEw0N670fLb3Qwz.exe
2036 cmstp.exe
2036 cmstp.exe

pid	process
2024	YEw0N670fLb3Qwz.exe
2024	YEw0N670fLb3Qwz.exe
2024	YEw0N670fLb3Qwz.exe
2036	cmstp.exe
2036	cmstp.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

YEw0N670fLb3Qwz.exeYEw0N670fLb3Qwz.execmstp.exe

description	pid	process
Token: SeDebugPrivilege	1652	YEw0N670fLb3Qwz.exe
Token: SeDebugPrivilege	2024	YEw0N670fLb3Qwz.exe
Token: SeDebugPrivilege	2036	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1252 Explorer.EXE
1252 Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

pid	process
1252	Explorer.EXE
1252	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

YEw0N670fLb3Qwz.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1652 wrote to memory of 2024	1652	YEw0N670fLb3Qwz.exe	YEw0N670fLb3Qwz.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 1252 wrote to memory of 2036	1252	Explorer.EXE	cmstp.exe
PID 2036 wrote to memory of 1376	2036	cmstp.exe	cmd.exe
PID 2036 wrote to memory of 1376	2036	cmstp.exe	cmd.exe
PID 2036 wrote to memory of 1376	2036	cmstp.exe	cmd.exe
PID 2036 wrote to memory of 1376	2036	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1252

C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe
"C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1652

C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2024

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2012

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2008

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1396

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1888

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:564

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:336

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1016

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1936

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1704

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1452

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1184

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:1484

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\YEw0N670fLb3Qwz.exe"
3⤵
- Deletes itself
PID:1376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1252-76-0x00000000079C0000-0x0000000007B4F000-memory.dmp

Filesize
1.6MB

Download
memory/1252-68-0x0000000007890000-0x00000000079B2000-memory.dmp

Filesize
1.1MB

Download
memory/1376-73-0x0000000000000000-mapping.dmp

Download
memory/1652-54-0x0000000001020000-0x0000000001096000-memory.dmp

Filesize
472KB

Download
memory/1652-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1652-56-0x0000000000350000-0x000000000035A000-memory.dmp

Filesize
40KB

Download
memory/1652-57-0x0000000000630000-0x0000000000686000-memory.dmp

Filesize
344KB

Download
memory/1652-58-0x00000000004E0000-0x0000000000512000-memory.dmp

Filesize
200KB

Download
memory/2024-66-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2024-67-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/2024-63-0x000000000041E2F0-mapping.dmp

Download
memory/2024-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2024-62-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2024-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2024-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2036-69-0x0000000000000000-mapping.dmp

Download
memory/2036-71-0x0000000000030000-0x0000000000048000-memory.dmp

Filesize
96KB

Download
memory/2036-72-0x00000000000B0000-0x00000000000DD000-memory.dmp

Filesize
180KB

Download
memory/2036-74-0x0000000001E80000-0x0000000002183000-memory.dmp

Filesize
3.0MB

Download
memory/2036-75-0x0000000001D10000-0x0000000001DA3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads