formbook | ea7fd68474ee4b68b0efe56669644ad94474170ceca4f7aae769c0c06ac0ade2

General

Target

Doc10.exe
Size

508KB
MD5

a55491d76809f0c2ce2534145b58c2fb
SHA1

2ba489657ea9b82d76a5398f80bb31e2cfec6294
SHA256

d15344ff431c8df1a1de0618b7e0f4dfee59999eb7f26de6d462cc9c8e80a54a
SHA512

56e439f76b9b073e8b575accab64ca2d98c7a4de9a6c0df1d66247fdc2d3f3add250b1bc4a140bc06d72c2436be6e0766a64e4705386de06335539ba50ab9bb1

Score

10^/10

formbook s5l rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

s5l

Decoy

greenstock.info

laurajaneaesthetics.com

817comm.com

dbprimery.com

slzu-vxtx9.biz

covetpro.com

50.ink

weick.email

88717888.com

tongyue0423.com

anchorsky.com

horapatarot.com

cadillacforless.com

primesupplyvintage.com

torchinstant.win

thebrandishere.com

www-69677.com

savestj.com

tommydad.com

xigjailbreak.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/468-64-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/468-65-0x000000000041B6E0-mapping.dmp	formbook
behavioral1/memory/468-68-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1740-78-0x0000000000110000-0x000000000013A000-memory.dmp	formbook

Executes dropped EXE 1 IoCs

Processes:

Doc10.exe

pid process

468 Doc10.exe
Loads dropped DLL 1 IoCs

Processes:

Doc10.exe

pid process

1828 Doc10.exe

pid	process
468	Doc10.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Doc10.exeDoc10.exewininit.exe

description	pid	process	target process
PID 1828 set thread context of 468	1828	Doc10.exe	Doc10.exe
PID 468 set thread context of 1376	468	Doc10.exe	Explorer.EXE
PID 468 set thread context of 1376	468	Doc10.exe	Explorer.EXE
PID 1740 set thread context of 1376	1740	wininit.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 33 IoCs

Processes:

Doc10.exeDoc10.exewininit.exe

pid	process
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
1828	Doc10.exe
468	Doc10.exe
468	Doc10.exe
468	Doc10.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe
1740	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Doc10.exewininit.exe

pid process

468 Doc10.exe
468 Doc10.exe
468 Doc10.exe
468 Doc10.exe
1740 wininit.exe
1740 wininit.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Doc10.exeDoc10.exewininit.exe

description pid process

Token: SeDebugPrivilege 1828 Doc10.exe
Token: SeDebugPrivilege 468 Doc10.exe
Token: SeDebugPrivilege 1740 wininit.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
1376 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1376 Explorer.EXE
1376 Explorer.EXE

pid	process
468	Doc10.exe
468	Doc10.exe
468	Doc10.exe
468	Doc10.exe
1740	wininit.exe
1740	wininit.exe

description	pid	process
Token: SeDebugPrivilege	1828	Doc10.exe
Token: SeDebugPrivilege	468	Doc10.exe
Token: SeDebugPrivilege	1740	wininit.exe

pid	process
1376	Explorer.EXE
1376	Explorer.EXE

pid	process
1376	Explorer.EXE
1376	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Doc10.exeDoc10.exewininit.exe

description	pid	process	target process
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 1828 wrote to memory of 468	1828	Doc10.exe	Doc10.exe
PID 468 wrote to memory of 1740	468	Doc10.exe	wininit.exe
PID 468 wrote to memory of 1740	468	Doc10.exe	wininit.exe
PID 468 wrote to memory of 1740	468	Doc10.exe	wininit.exe
PID 468 wrote to memory of 1740	468	Doc10.exe	wininit.exe
PID 1740 wrote to memory of 1032	1740	wininit.exe	cmd.exe
PID 1740 wrote to memory of 1032	1740	wininit.exe	cmd.exe
PID 1740 wrote to memory of 1032	1740	wininit.exe	cmd.exe
PID 1740 wrote to memory of 1032	1740	wininit.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1376

C:\Users\Admin\AppData\Local\Temp\Doc10.exe
"C:\Users\Admin\AppData\Local\Temp\Doc10.exe"
2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1828

C:\Users\Admin\AppData\Local\Temp\Doc10.exe
"C:\Users\Admin\AppData\Local\Temp\Doc10.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468

C:\Windows\SysWOW64\wininit.exe
"C:\Windows\SysWOW64\wininit.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1740

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Doc10.exe"
5⤵
PID:1032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Doc10.exe
Filesize
508KB

MD5
a55491d76809f0c2ce2534145b58c2fb

SHA1
2ba489657ea9b82d76a5398f80bb31e2cfec6294

SHA256
d15344ff431c8df1a1de0618b7e0f4dfee59999eb7f26de6d462cc9c8e80a54a

SHA512
56e439f76b9b073e8b575accab64ca2d98c7a4de9a6c0df1d66247fdc2d3f3add250b1bc4a140bc06d72c2436be6e0766a64e4705386de06335539ba50ab9bb1

Download Submit
\Users\Admin\AppData\Local\Temp\Doc10.exe
Filesize
508KB

MD5
a55491d76809f0c2ce2534145b58c2fb

SHA1
2ba489657ea9b82d76a5398f80bb31e2cfec6294

SHA256
d15344ff431c8df1a1de0618b7e0f4dfee59999eb7f26de6d462cc9c8e80a54a

SHA512
56e439f76b9b073e8b575accab64ca2d98c7a4de9a6c0df1d66247fdc2d3f3add250b1bc4a140bc06d72c2436be6e0766a64e4705386de06335539ba50ab9bb1

Download Submit
memory/468-68-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/468-70-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/468-69-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/468-73-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/468-61-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/468-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/468-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/468-65-0x000000000041B6E0-mapping.dmp

Download
memory/1032-76-0x0000000000000000-mapping.dmp

Download
memory/1376-81-0x00000000065C0000-0x0000000006706000-memory.dmp

Filesize
1.3MB

Download
memory/1376-71-0x0000000003F40000-0x0000000003FF2000-memory.dmp

Filesize
712KB

Download
memory/1376-74-0x00000000062F0000-0x0000000006416000-memory.dmp

Filesize
1.1MB

Download
memory/1740-75-0x0000000000000000-mapping.dmp

Download
memory/1740-77-0x0000000000830000-0x000000000084A000-memory.dmp

Filesize
104KB

Download
memory/1740-78-0x0000000000110000-0x000000000013A000-memory.dmp

Filesize
168KB

Download
memory/1740-79-0x0000000001DE0000-0x00000000020E3000-memory.dmp

Filesize
3.0MB

Download
memory/1740-80-0x00000000020F0000-0x0000000002183000-memory.dmp

Filesize
588KB

Download
memory/1828-55-0x0000000075741000-0x0000000075743000-memory.dmp

Filesize
8KB

Download
memory/1828-56-0x0000000000660000-0x0000000000668000-memory.dmp

Filesize
32KB

Download
memory/1828-57-0x0000000000920000-0x0000000000958000-memory.dmp

Filesize
224KB

Download
memory/1828-58-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1828-59-0x0000000000AE0000-0x0000000000AE8000-memory.dmp

Filesize
32KB

Download
memory/1828-54-0x0000000000DC0000-0x0000000000E44000-memory.dmp

Filesize
528KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads