formbook | 859aada0cf09832daace8902102e39989f7eac7e3152006ea017a9f27e22b162

General

Target

Ziraat Bankasi Swift Mesaji.exe
Size

469KB
MD5

25c2ebbd0e8c30072c147d523f0162f2
SHA1

d0ceb65655fc301e34c7750d1cb44908ae4a18ae
SHA256

859aada0cf09832daace8902102e39989f7eac7e3152006ea017a9f27e22b162
SHA512

2984620b54c2b541c378ae34572d73ee19943dee1d3ab8095c047f432f18b4e0a6715503e9108d838c72f9fc7f20712b4e3450f51dc01f3a5aad9552098967e0

Score

10^/10

formbook pr28 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pr28

Decoy

warehouseufohighbay.com

kingasia77.xyz

americanoutfittes.com

jemodaevangica.com

holigantv82.com

creamkidslife.com

skillzplanetoutreach.com

goldencityofficial.com

choiceaccessorise.com

kdgkzy.com

patra.tech

chicaglo.com

9491countyroad106.com

theultracleanser.com

lesmacarons.biz

kfaluminum.com

institutodiversidade.com

woodanqnmz.store

teslabuyerusa.com

cityofbastop.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1076-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1076-60-0x000000000041F1C0-mapping.dmp	formbook
behavioral1/memory/1076-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1060-70-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/1060-75-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeRegAsm.exerundll32.exe

description	pid	process	target process
PID 1100 set thread context of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1076 set thread context of 1400	1076	RegAsm.exe	Explorer.EXE
PID 1060 set thread context of 1400	1060	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

RegAsm.exerundll32.exe

pid	process
1076	RegAsm.exe
1076	RegAsm.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe
1060	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegAsm.exerundll32.exe

pid process

1076 RegAsm.exe
1076 RegAsm.exe
1076 RegAsm.exe
1060 rundll32.exe
1060 rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeRegAsm.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	1100	Ziraat Bankasi Swift Mesaji.exe
Token: SeDebugPrivilege	1076	RegAsm.exe
Token: SeDebugPrivilege	1060	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1400 Explorer.EXE
1400 Explorer.EXE

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

pid	process
1400	Explorer.EXE
1400	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

Ziraat Bankasi Swift Mesaji.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1100 wrote to memory of 1076	1100	Ziraat Bankasi Swift Mesaji.exe	RegAsm.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1400 wrote to memory of 1060	1400	Explorer.EXE	rundll32.exe
PID 1060 wrote to memory of 240	1060	rundll32.exe	cmd.exe
PID 1060 wrote to memory of 240	1060	rundll32.exe	cmd.exe
PID 1060 wrote to memory of 240	1060	rundll32.exe	cmd.exe
PID 1060 wrote to memory of 240	1060	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe
  "C:\Users\Admin\AppData\Local\Temp\Ziraat Bankasi Swift Mesaji.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-72-0x0000000000000000-mapping.dmp

Download
memory/1060-67-0x0000000000000000-mapping.dmp

Download
memory/1060-75-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1060-73-0x00000000006B0000-0x0000000000744000-memory.dmp

Filesize
592KB

Download
memory/1060-71-0x0000000002150000-0x0000000002453000-memory.dmp

Filesize
3.0MB

Download
memory/1060-70-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1060-69-0x00000000009F0000-0x00000000009FE000-memory.dmp

Filesize
56KB

Download
memory/1076-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-65-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/1076-64-0x00000000024C0000-0x00000000027C3000-memory.dmp

Filesize
3.0MB

Download
memory/1076-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-60-0x000000000041F1C0-mapping.dmp

Download
memory/1076-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1100-54-0x0000000000050000-0x00000000000CC000-memory.dmp

Filesize
496KB

Download
memory/1100-55-0x0000000074B51000-0x0000000074B53000-memory.dmp

Filesize
8KB

Download
memory/1400-66-0x0000000003BF0000-0x0000000003CA5000-memory.dmp

Filesize
724KB

Download
memory/1400-74-0x0000000006070000-0x000000000619D000-memory.dmp

Filesize
1.2MB

Download
memory/1400-76-0x0000000006070000-0x000000000619D000-memory.dmp

Filesize
1.2MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads