formbook | 5dbc56add4738f555a48c4d1e8f9b773421c6881fed842b32c8866943458a17f

General

Target

Order InQuiry.exe
Size

324KB
MD5

cbf04abfe31536e464fb853fd145a6de
SHA1

696d354f611589cf631371cdade86277ea5dc224
SHA256

e8172cbc3806d750d00a5619e618ffc068b9d8247b5f4da507642e70e32ac3f9
SHA512

2162acf2c67f8abdb8602f5acfa6495c028c9ad3bde95c869efa8445c2fea4c083d6bd6122e0061469fff1dcefb6eec420bc6165257a0ef5e19e855a475d78c1

Score

10^/10

formbook q5e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q5e

Decoy

2177.ltd

thanxiety.com

max-width.com

fixti.net

mostmaj.com

mobilteknolojiuzmani.com

historyannals.com

wheelchairmotion.com

mossandmoonstonestudio.com

kastellifournis.com

axokey.net

peekl.com

metsteeshirt.com

abcfinancial-inc.com

btxrsp.com

amydh.com

ccoauthority.com

lumacorretora.com

kimfelixrealtor.com

iconext.biz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1488-59-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/1488-60-0x000000000041E2A0-mapping.dmp	formbook
behavioral1/memory/1488-65-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Order InQuiry.exeOrder InQuiry.exe

description	pid	process	target process
PID 960 set thread context of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 1488 set thread context of 1368	1488	Order InQuiry.exe	Explorer.EXE
PID 1488 set thread context of 1368	1488	Order InQuiry.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

Order InQuiry.exeOrder InQuiry.exe

pid process

960 Order InQuiry.exe
960 Order InQuiry.exe
960 Order InQuiry.exe
1488 Order InQuiry.exe
1488 Order InQuiry.exe
1488 Order InQuiry.exe
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

Order InQuiry.exe

pid process

1488 Order InQuiry.exe
1488 Order InQuiry.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Order InQuiry.exeOrder InQuiry.exe

description pid process

Token: SeDebugPrivilege 960 Order InQuiry.exe
Token: SeDebugPrivilege 1488 Order InQuiry.exe

pid	process
960	Order InQuiry.exe
960	Order InQuiry.exe
960	Order InQuiry.exe
1488	Order InQuiry.exe
1488	Order InQuiry.exe
1488	Order InQuiry.exe

pid	process
1488	Order InQuiry.exe
1488	Order InQuiry.exe

description	pid	process
Token: SeDebugPrivilege	960	Order InQuiry.exe
Token: SeDebugPrivilege	1488	Order InQuiry.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

Order InQuiry.exe

description	pid	process	target process
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe
PID 960 wrote to memory of 1488	960	Order InQuiry.exe	Order InQuiry.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\Order InQuiry.exe
"C:\Users\Admin\AppData\Local\Temp\Order InQuiry.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:960

C:\Users\Admin\AppData\Local\Temp\Order InQuiry.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1488

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/960-54-0x0000000076571000-0x0000000076573000-memory.dmp

Filesize
8KB

Download
memory/960-55-0x0000000074940000-0x0000000074EEB000-memory.dmp

Filesize
5.7MB

Download
memory/1368-64-0x0000000004940000-0x0000000004A0F000-memory.dmp

Filesize
828KB

Download
memory/1368-67-0x0000000006A60000-0x0000000006BB3000-memory.dmp

Filesize
1.3MB

Download
memory/1488-56-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-57-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-59-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-60-0x000000000041E2A0-mapping.dmp

Download
memory/1488-62-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/1488-63-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/1488-65-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1488-66-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads