formbook | cad3c55468a545fa192d342b696c573a3d19c36673fd7524e982069fe3bb6109

General

Target

tmp.exe
Size

770KB
MD5

952e007eaae74fbdc16ba43932395b4b
SHA1

54fcb053d09600ffda2d4e95d050e7991a75acb0
SHA256

cad3c55468a545fa192d342b696c573a3d19c36673fd7524e982069fe3bb6109
SHA512

2dd973e9662f4eab0b7631df189b90cadf5ecf5ab2ee9a8f26d49e83040cf4666726a44047e355f404c3f9f776481eeec075734d52d00c5e39cc97b1ef135fb1

Score

10^/10

formbook s0s2 rat spyware stealer suricata trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s0s2

Decoy

stripe-forecast.com

perfectingnextstage.com

primarole.com

nonnydesigns.com

wordsofweightandlevity.com

mafleursam.com

hardwarepicker.tech

minex-intl.com

thenextbigtech.net

rabeproject.com

sticktogracestudio.com

releve.space

readoku.net

carings.net

nasdaq-ex.store

au-techng.com

thethoughtgenius.com

how-to-learn-languages.net

kitabisabelanja.com

awndka.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata

Formbook Payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1524-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1524-62-0x000000000041F110-mapping.dmp	formbook
behavioral1/memory/1524-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1016-72-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/1016-76-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1696 cmd.exe

pid	process
1696	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.exerundll32.exe

description	pid	process	target process
PID 892 set thread context of 1524	892	tmp.exe	tmp.exe
PID 1524 set thread context of 1392	1524	tmp.exe	Explorer.EXE
PID 1016 set thread context of 1392	1016	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

tmp.exetmp.exerundll32.exe

pid	process
892	tmp.exe
892	tmp.exe
892	tmp.exe
892	tmp.exe
892	tmp.exe
892	tmp.exe
892	tmp.exe
1524	tmp.exe
1524	tmp.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe
1016	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tmp.exerundll32.exe

pid process

1524 tmp.exe
1524 tmp.exe
1524 tmp.exe
1016 rundll32.exe
1016 rundll32.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exetmp.exerundll32.exe

description pid process

Token: SeDebugPrivilege 892 tmp.exe
Token: SeDebugPrivilege 1524 tmp.exe
Token: SeDebugPrivilege 1016 rundll32.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
1392 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1392 Explorer.EXE
1392 Explorer.EXE

pid	process
1524	tmp.exe
1524	tmp.exe
1524	tmp.exe
1016	rundll32.exe
1016	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	892	tmp.exe
Token: SeDebugPrivilege	1524	tmp.exe
Token: SeDebugPrivilege	1016	rundll32.exe

pid	process
1392	Explorer.EXE
1392	Explorer.EXE

pid	process
1392	Explorer.EXE
1392	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

tmp.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 892 wrote to memory of 1524	892	tmp.exe	tmp.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1392 wrote to memory of 1016	1392	Explorer.EXE	rundll32.exe
PID 1016 wrote to memory of 1696	1016	rundll32.exe	cmd.exe
PID 1016 wrote to memory of 1696	1016	rundll32.exe	cmd.exe
PID 1016 wrote to memory of 1696	1016	rundll32.exe	cmd.exe
PID 1016 wrote to memory of 1696	1016	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1392

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:892

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1524

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Deletes itself
PID:1696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-55-0x00000000002D0000-0x00000000002E6000-memory.dmp

Filesize
88KB

Download
memory/892-56-0x0000000007450000-0x00000000074BC000-memory.dmp

Filesize
432KB

Download
memory/892-57-0x0000000000CE0000-0x0000000000D14000-memory.dmp

Filesize
208KB

Download
memory/892-54-0x0000000001340000-0x000000000140A000-memory.dmp

Filesize
808KB

Download
memory/1016-67-0x0000000000000000-mapping.dmp

Download
memory/1016-76-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1016-74-0x0000000000B30000-0x0000000000BC3000-memory.dmp

Filesize
588KB

Download
memory/1016-73-0x00000000021F0000-0x00000000024F3000-memory.dmp

Filesize
3.0MB

Download
memory/1016-72-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/1016-71-0x0000000000690000-0x000000000069E000-memory.dmp

Filesize
56KB

Download
memory/1016-69-0x0000000075441000-0x0000000075443000-memory.dmp

Filesize
8KB

Download
memory/1392-66-0x0000000006B60000-0x0000000006C60000-memory.dmp

Filesize
1024KB

Download
memory/1392-75-0x00000000062A0000-0x0000000006365000-memory.dmp

Filesize
788KB

Download
memory/1392-77-0x00000000062A0000-0x0000000006365000-memory.dmp

Filesize
788KB

Download
memory/1524-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-65-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1524-64-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/1524-62-0x000000000041F110-mapping.dmp

Download
memory/1524-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1524-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1696-70-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads