formbook | c400e648af78ed3677bdca0096b54ea9e39c7418af48f4cac2936f424eb0ddc5

General

Target

Ziraat bankası swift mesaji.exe
Size

522KB
MD5

c701756136a34c15f281ce2fe6fd5904
SHA1

3002137e113c3b4b26f9aae7cd09b72a21146cb8
SHA256

c400e648af78ed3677bdca0096b54ea9e39c7418af48f4cac2936f424eb0ddc5
SHA512

4bccea01bf84da7829b64f02222149ea3b9093c23b8e699e20a17db6694e2e22b5a2820a1ebb356452844aa71c2f421c707e14e171662681e83b04204a7c81d4

Score

10^/10

formbook mh76 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1304-60-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1304-61-0x000000000041F1A0-mapping.dmp	formbook
behavioral1/memory/1304-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1240-70-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1240-74-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Ziraat bankası swift mesaji.exeInstallUtil.exeNAPSTAT.EXE

description	pid	process	target process
PID 1080 set thread context of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1304 set thread context of 1292	1304	InstallUtil.exe	Explorer.EXE
PID 1240 set thread context of 1292	1240	NAPSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

Ziraat bankası swift mesaji.exeInstallUtil.exeNAPSTAT.EXE

pid	process
1080	Ziraat bankası swift mesaji.exe
1080	Ziraat bankası swift mesaji.exe
1080	Ziraat bankası swift mesaji.exe
1304	InstallUtil.exe
1304	InstallUtil.exe
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

InstallUtil.exeNAPSTAT.EXE

pid process

1304 InstallUtil.exe
1304 InstallUtil.exe
1304 InstallUtil.exe
1240 NAPSTAT.EXE
1240 NAPSTAT.EXE

pid	process
1304	InstallUtil.exe
1304	InstallUtil.exe
1304	InstallUtil.exe
1240	NAPSTAT.EXE
1240	NAPSTAT.EXE

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Ziraat bankası swift mesaji.exeInstallUtil.exeNAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1080	Ziraat bankası swift mesaji.exe
Token: SeDebugPrivilege	1304	InstallUtil.exe
Token: SeDebugPrivilege	1240	NAPSTAT.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1292 Explorer.EXE
1292 Explorer.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE

pid	process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

Ziraat bankası swift mesaji.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 272	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1080 wrote to memory of 1304	1080	Ziraat bankası swift mesaji.exe	InstallUtil.exe
PID 1292 wrote to memory of 1240	1292	Explorer.EXE	NAPSTAT.EXE
PID 1292 wrote to memory of 1240	1292	Explorer.EXE	NAPSTAT.EXE
PID 1292 wrote to memory of 1240	1292	Explorer.EXE	NAPSTAT.EXE
PID 1292 wrote to memory of 1240	1292	Explorer.EXE	NAPSTAT.EXE
PID 1240 wrote to memory of 1524	1240	NAPSTAT.EXE	cmd.exe
PID 1240 wrote to memory of 1524	1240	NAPSTAT.EXE	cmd.exe
PID 1240 wrote to memory of 1524	1240	NAPSTAT.EXE	cmd.exe
PID 1240 wrote to memory of 1524	1240	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Users\Admin\AppData\Local\Temp\Ziraat bankası swift mesaji.exe
"C:\Users\Admin\AppData\Local\Temp\Ziraat bankası swift mesaji.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
PID:272

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1304

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1240

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1524

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1080-54-0x0000000000BE0000-0x0000000000C68000-memory.dmp

Filesize
544KB

Download
memory/1080-55-0x0000000004B80000-0x0000000004C26000-memory.dmp

Filesize
664KB

Download
memory/1080-56-0x0000000000AB0000-0x0000000000AFC000-memory.dmp

Filesize
304KB

Download
memory/1240-71-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/1240-69-0x00000000002F0000-0x0000000000336000-memory.dmp

Filesize
280KB

Download
memory/1240-74-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1240-72-0x0000000001DE0000-0x0000000001E74000-memory.dmp

Filesize
592KB

Download
memory/1240-66-0x0000000000000000-mapping.dmp

Download
memory/1240-70-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1292-75-0x0000000006A10000-0x0000000006B3F000-memory.dmp

Filesize
1.2MB

Download
memory/1292-73-0x0000000006A10000-0x0000000006B3F000-memory.dmp

Filesize
1.2MB

Download
memory/1292-65-0x00000000043C0000-0x00000000044AC000-memory.dmp

Filesize
944KB

Download
memory/1304-64-0x00000000001A0000-0x00000000001B5000-memory.dmp

Filesize
84KB

Download
memory/1304-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1304-63-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/1304-61-0x000000000041F1A0-mapping.dmp

Download
memory/1304-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-68-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads