formbook | cad3c55468a545fa192d342b696c573a3d19c36673fd7524e982069fe3bb6109

General

Target

tmp.exe
Size

770KB
MD5

952e007eaae74fbdc16ba43932395b4b
SHA1

54fcb053d09600ffda2d4e95d050e7991a75acb0
SHA256

cad3c55468a545fa192d342b696c573a3d19c36673fd7524e982069fe3bb6109
SHA512

2dd973e9662f4eab0b7631df189b90cadf5ecf5ab2ee9a8f26d49e83040cf4666726a44047e355f404c3f9f776481eeec075734d52d00c5e39cc97b1ef135fb1

Score

10^/10

formbook s0s2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s0s2

Decoy

stripe-forecast.com

perfectingnextstage.com

primarole.com

nonnydesigns.com

wordsofweightandlevity.com

mafleursam.com

hardwarepicker.tech

minex-intl.com

thenextbigtech.net

rabeproject.com

sticktogracestudio.com

releve.space

readoku.net

carings.net

nasdaq-ex.store

au-techng.com

thethoughtgenius.com

how-to-learn-languages.net

kitabisabelanja.com

awndka.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5060-136-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/5060-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2928-145-0x0000000000D10000-0x0000000000D3F000-memory.dmp	formbook
behavioral2/memory/2928-149-0x0000000000D10000-0x0000000000D3F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

74 2928 msiexec.exe

flow	pid	process
74	2928	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.exemsiexec.exe

description	pid	process	target process
PID 3180 set thread context of 5060	3180	tmp.exe	tmp.exe
PID 5060 set thread context of 1880	5060	tmp.exe	Explorer.EXE
PID 2928 set thread context of 1880	2928	msiexec.exe	Explorer.EXE

Modifies registry class 3 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

tmp.exetmp.exemsiexec.exe

pid	process
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
3180	tmp.exe
5060	tmp.exe
5060	tmp.exe
5060	tmp.exe
5060	tmp.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe
2928	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1880 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tmp.exemsiexec.exe

pid process

5060 tmp.exe
5060 tmp.exe
5060 tmp.exe
2928 msiexec.exe
2928 msiexec.exe

pid	process
1880	Explorer.EXE

pid	process
5060	tmp.exe
5060	tmp.exe
5060	tmp.exe
2928	msiexec.exe
2928	msiexec.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

Processes:

tmp.exetmp.exemsiexec.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	3180	tmp.exe
Token: SeDebugPrivilege	5060	tmp.exe
Token: SeDebugPrivilege	2928	msiexec.exe
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE
Token: SeShutdownPrivilege	1880	Explorer.EXE
Token: SeCreatePagefilePrivilege	1880	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1880 Explorer.EXE
1880 Explorer.EXE

pid	process
1880	Explorer.EXE
1880	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 3180 wrote to memory of 5060	3180	tmp.exe	tmp.exe
PID 3180 wrote to memory of 5060	3180	tmp.exe	tmp.exe
PID 3180 wrote to memory of 5060	3180	tmp.exe	tmp.exe
PID 3180 wrote to memory of 5060	3180	tmp.exe	tmp.exe
PID 3180 wrote to memory of 5060	3180	tmp.exe	tmp.exe
PID 3180 wrote to memory of 5060	3180	tmp.exe	tmp.exe
PID 1880 wrote to memory of 2928	1880	Explorer.EXE	msiexec.exe
PID 1880 wrote to memory of 2928	1880	Explorer.EXE	msiexec.exe
PID 1880 wrote to memory of 2928	1880	Explorer.EXE	msiexec.exe
PID 2928 wrote to memory of 3356	2928	msiexec.exe	cmd.exe
PID 2928 wrote to memory of 3356	2928	msiexec.exe	cmd.exe
PID 2928 wrote to memory of 3356	2928	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3180

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:5060

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:3332

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2928

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:3356

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-141-0x0000000002F30000-0x0000000002FEA000-memory.dmp

Filesize
744KB

Download
memory/1880-150-0x00000000086A0000-0x00000000087BE000-memory.dmp

Filesize
1.1MB

Download
memory/1880-148-0x00000000086A0000-0x00000000087BE000-memory.dmp

Filesize
1.1MB

Download
memory/2928-146-0x0000000002EC0000-0x000000000320A000-memory.dmp

Filesize
3.3MB

Download
memory/2928-145-0x0000000000D10000-0x0000000000D3F000-memory.dmp

Filesize
188KB

Download
memory/2928-149-0x0000000000D10000-0x0000000000D3F000-memory.dmp

Filesize
188KB

Download
memory/2928-147-0x0000000002D20000-0x0000000002DB3000-memory.dmp

Filesize
588KB

Download
memory/2928-142-0x0000000000000000-mapping.dmp

Download
memory/2928-144-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/3180-131-0x00000000080D0000-0x0000000008674000-memory.dmp

Filesize
5.6MB

Download
memory/3180-132-0x0000000007CC0000-0x0000000007D52000-memory.dmp

Filesize
584KB

Download
memory/3180-130-0x0000000000840000-0x000000000090A000-memory.dmp

Filesize
808KB

Download
memory/3180-133-0x0000000007C20000-0x0000000007C2A000-memory.dmp

Filesize
40KB

Download
memory/3180-134-0x000000000B3E0000-0x000000000B47C000-memory.dmp

Filesize
624KB

Download
memory/3356-143-0x0000000000000000-mapping.dmp

Download
memory/5060-140-0x0000000000D90000-0x0000000000DA4000-memory.dmp

Filesize
80KB

Download
memory/5060-139-0x0000000001250000-0x000000000159A000-memory.dmp

Filesize
3.3MB

Download
memory/5060-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-136-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5060-135-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads