formbook | 56122070a3bdb1f168cbae330d58b9c268700509420d2670ccafd01221b45751

Analysis

max time kernel
148s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 05:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

files/14.exe
Size

632KB
MD5

cf123d2f8c6cf7a88472483607163eb5
SHA1

7f15a558d3d63d689d754d3cea804b9ebb79c50b
SHA256

f11ce5b6edfa6ee04b2334cb820f03fd99df64185daf857f4a241653ef2f1a64
SHA512

9b9bb092d139447df86a8286dae1907f56e624e0324ec693e9f91c1b0f2e25041e3187fe44ae618b6cdf35715373ff05b5825d416fb9d858bf265b44cb26ed6d

Score

10^/10

formbook di rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

baoxiaofan.com

bestwaycartage.com

sag-architecture.com

salamcanteen.com

clinicalpsychologistkerala.com

mttv222.com

theweproject.com

fybbracelets.net

vv666h.com

bangfupin.com

arkprojetos.com

realgoaldigger.com

pilotedphotography.com

6zonxm55.biz

gaoduanmi.com

aminahmad.com

bountymarketing.net

christopher-rennebach.com

02xjys.faith

estilomiau.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral12/memory/536-133-0x0000000000000000-mapping.dmp	formbook
behavioral12/memory/536-135-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral12/memory/536-141-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral12/memory/3568-144-0x0000000000690000-0x00000000006BA000-memory.dmp	formbook
behavioral12/memory/3568-148-0x0000000000690000-0x00000000006BA000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

Processes:

14.exeraserver.exe

description	pid	process	target process
PID 536 set thread context of 2476	536	14.exe	Explorer.EXE
PID 3568 set thread context of 2476	3568	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 54 IoCs

Processes:

14.exeraserver.exe

pid	process
536	14.exe
536	14.exe
536	14.exe
536	14.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe
3568	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2476 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

14.exeraserver.exe

pid process

536 14.exe
536 14.exe
536 14.exe
3568 raserver.exe
3568 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

14.exeraserver.exe

description pid process

Token: SeDebugPrivilege 536 14.exe
Token: SeDebugPrivilege 3568 raserver.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

14.exe

pid process

4400 14.exe

pid	process
2476	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	536	14.exe
Token: SeDebugPrivilege	3568	raserver.exe

pid	process
4400	14.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

14.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 4400 wrote to memory of 536	4400	14.exe	14.exe
PID 2476 wrote to memory of 3568	2476	Explorer.EXE	raserver.exe
PID 2476 wrote to memory of 3568	2476	Explorer.EXE	raserver.exe
PID 2476 wrote to memory of 3568	2476	Explorer.EXE	raserver.exe
PID 3568 wrote to memory of 4252	3568	raserver.exe	cmd.exe
PID 3568 wrote to memory of 4252	3568	raserver.exe	cmd.exe
PID 3568 wrote to memory of 4252	3568	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2476

C:\Users\Admin\AppData\Local\Temp\files\14.exe
"C:\Users\Admin\AppData\Local\Temp\files\14.exe"
2⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4400

C:\Users\Admin\AppData\Local\Temp\files\14.exe
"C:\Users\Admin\AppData\Local\Temp\files\14.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:536

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3568

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\files\14.exe"
3⤵
PID:4252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/536-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/536-137-0x0000000000A40000-0x0000000000D8A000-memory.dmp

Filesize
3.3MB

Download
memory/536-133-0x0000000000000000-mapping.dmp

Download
memory/536-135-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/536-138-0x0000000000750000-0x0000000000764000-memory.dmp

Filesize
80KB

Download
memory/2476-139-0x0000000003300000-0x00000000033FF000-memory.dmp

Filesize
1020KB

Download
memory/2476-147-0x0000000008480000-0x00000000085FD000-memory.dmp

Filesize
1.5MB

Download
memory/2476-149-0x0000000008480000-0x00000000085FD000-memory.dmp

Filesize
1.5MB

Download
memory/3568-143-0x0000000000D00000-0x0000000000D1F000-memory.dmp

Filesize
124KB

Download
memory/3568-140-0x0000000000000000-mapping.dmp

Download
memory/3568-144-0x0000000000690000-0x00000000006BA000-memory.dmp

Filesize
168KB

Download
memory/3568-145-0x0000000002620000-0x000000000296A000-memory.dmp

Filesize
3.3MB

Download
memory/3568-146-0x0000000002510000-0x00000000025A3000-memory.dmp

Filesize
588KB

Download
memory/3568-148-0x0000000000690000-0x00000000006BA000-memory.dmp

Filesize
168KB

Download
memory/4252-142-0x0000000000000000-mapping.dmp

Download
memory/4400-134-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download
memory/4400-132-0x0000000000770000-0x0000000000776000-memory.dmp

Filesize
24KB

Download