formbook | 8f48e9ea8fcfbc03fff80a621f21db65da0e777dc16fb62d97b5f4e4e0511dc7

General

Target

Inquiry.exe
Size

334KB
MD5

1a7fd254210f7ad82f72bebb508c6f19
SHA1

1225574ff9386945611656ed77925134d71f4c71
SHA256

1b4dea59e406d410a3d0d1ea8245c339fa8f5eb925f1378a09b0ee812c06508e
SHA512

0a6e328a22fa3fb42c27af80c0f104a3baf0520590fe1b508fa301d3cd465cf71a3434f04692676f6c45e13113f2045953a8c7800a53784fc2564934419dfe92

Score

10^/10

formbook ngs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.0

Campaign

ngs

Decoy

logismatic.com

smartfinanceclub.com

littlefingerkids.com

aibus.ltd

presentphoto.com

bilregister.info

feellightinbodymind.com

ulmansails.com

grovegaea.com

butt.gold

designersescape.com

ucuziplik.com

cekmiyor.store

villaniproperties.com

1buybuy.com

solarpanelchina.com

healthbenefits.site

sky962.com

xn--bent-8qa.com

alltraffic2update.download

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1220-60-0x000000000041E230-mapping.dmp	formbook
behavioral1/memory/1220-59-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1768-69-0x0000000000090000-0x00000000000BD000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

964 cmd.exe

pid	process
964	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Inquiry.exeInquiry.exerundll32.exe

description	pid	process	target process
PID 1956 set thread context of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1220 set thread context of 1276	1220	Inquiry.exe	Explorer.EXE
PID 1768 set thread context of 1276	1768	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

Inquiry.exeInquiry.exerundll32.exe

pid	process
1956	Inquiry.exe
1220	Inquiry.exe
1220	Inquiry.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe
1768	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Inquiry.exerundll32.exe

pid process

1220 Inquiry.exe
1220 Inquiry.exe
1220 Inquiry.exe
1768 rundll32.exe
1768 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Inquiry.exeInquiry.exerundll32.exe

description pid process

Token: SeDebugPrivilege 1956 Inquiry.exe
Token: SeDebugPrivilege 1220 Inquiry.exe
Token: SeDebugPrivilege 1768 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1276 Explorer.EXE
1276 Explorer.EXE

pid	process
1220	Inquiry.exe
1220	Inquiry.exe
1220	Inquiry.exe
1768	rundll32.exe
1768	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	1956	Inquiry.exe
Token: SeDebugPrivilege	1220	Inquiry.exe
Token: SeDebugPrivilege	1768	rundll32.exe

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

pid	process
1276	Explorer.EXE
1276	Explorer.EXE

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

Inquiry.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1956 wrote to memory of 1260	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1260	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1260	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1260	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1956 wrote to memory of 1220	1956	Inquiry.exe	Inquiry.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1276 wrote to memory of 1768	1276	Explorer.EXE	rundll32.exe
PID 1768 wrote to memory of 964	1768	rundll32.exe	cmd.exe
PID 1768 wrote to memory of 964	1768	rundll32.exe	cmd.exe
PID 1768 wrote to memory of 964	1768	rundll32.exe	cmd.exe
PID 1768 wrote to memory of 964	1768	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
"C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956

C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
"{path}"
3⤵
PID:1260

C:\Users\Admin\AppData\Local\Temp\Inquiry.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1220

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Inquiry.exe"
3⤵
- Deletes itself
PID:964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-67-0x0000000000000000-mapping.dmp

Download
memory/1220-63-0x0000000000240000-0x0000000000254000-memory.dmp

Filesize
80KB

Download
memory/1220-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1220-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1220-60-0x000000000041E230-mapping.dmp

Download
memory/1220-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1220-62-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1276-64-0x0000000004C60000-0x0000000004D3F000-memory.dmp

Filesize
892KB

Download
memory/1276-72-0x0000000004EE0000-0x0000000004FE5000-memory.dmp

Filesize
1.0MB

Download
memory/1768-65-0x0000000000000000-mapping.dmp

Download
memory/1768-68-0x0000000000810000-0x000000000081E000-memory.dmp

Filesize
56KB

Download
memory/1768-69-0x0000000000090000-0x00000000000BD000-memory.dmp

Filesize
180KB

Download
memory/1768-70-0x0000000002160000-0x0000000002463000-memory.dmp

Filesize
3.0MB

Download
memory/1768-71-0x00000000005B0000-0x0000000000643000-memory.dmp

Filesize
588KB

Download
memory/1956-54-0x0000000075F61000-0x0000000075F63000-memory.dmp

Filesize
8KB

Download
memory/1956-55-0x0000000074A80000-0x000000007502B000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads