formbook | 76b075d9a92f124e01df0a2c3f86ea729666db05b813d499fb3ce6d2402f42d9

General

Target

ZB_1997e758e3.exe
Size

487KB
MD5

25d40c676222d431691223ea256c5be0
SHA1

844e84f81a6fcb00af333793bccdf960377dd7d0
SHA256

76b075d9a92f124e01df0a2c3f86ea729666db05b813d499fb3ce6d2402f42d9
SHA512

1e140f4427fd5989b28827169126445c2bf7a8059a3279fa419c9d8280998e1c005234d1a5c3bf87a79d527adf153ccf199e070a0ae9ab2bef62437d3fd76161

Score

10^/10

formbook mh76 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/732-60-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/732-61-0x000000000041F1A0-mapping.dmp	formbook
behavioral1/memory/732-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1672-71-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook
behavioral1/memory/1672-75-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

ZB_1997e758e3.exeInstallUtil.exerundll32.exe

description	pid	process	target process
PID 896 set thread context of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 732 set thread context of 1412	732	InstallUtil.exe	Explorer.EXE
PID 1672 set thread context of 1412	1672	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

ZB_1997e758e3.exeInstallUtil.exerundll32.exe

pid	process
896	ZB_1997e758e3.exe
896	ZB_1997e758e3.exe
732	InstallUtil.exe
732	InstallUtil.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

InstallUtil.exerundll32.exe

pid process

732 InstallUtil.exe
732 InstallUtil.exe
732 InstallUtil.exe
1672 rundll32.exe
1672 rundll32.exe

pid	process
732	InstallUtil.exe
732	InstallUtil.exe
732	InstallUtil.exe
1672	rundll32.exe
1672	rundll32.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ZB_1997e758e3.exeInstallUtil.exerundll32.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	896	ZB_1997e758e3.exe
Token: SeDebugPrivilege	732	InstallUtil.exe
Token: SeDebugPrivilege	1672	rundll32.exe
Token: SeShutdownPrivilege	1412	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1412 Explorer.EXE
1412 Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

pid	process
1412	Explorer.EXE
1412	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

ZB_1997e758e3.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 896 wrote to memory of 732	896	ZB_1997e758e3.exe	InstallUtil.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1412 wrote to memory of 1672	1412	Explorer.EXE	rundll32.exe
PID 1672 wrote to memory of 1520	1672	rundll32.exe	cmd.exe
PID 1672 wrote to memory of 1520	1672	rundll32.exe	cmd.exe
PID 1672 wrote to memory of 1520	1672	rundll32.exe	cmd.exe
PID 1672 wrote to memory of 1520	1672	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1412

C:\Users\Admin\AppData\Local\Temp\ZB_1997e758e3.exe
"C:\Users\Admin\AppData\Local\Temp\ZB_1997e758e3.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
3⤵
PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/732-65-0x00000000001E0000-0x00000000001F5000-memory.dmp

Filesize
84KB

Download
memory/732-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-57-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-64-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/732-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/732-61-0x000000000041F1A0-mapping.dmp

Download
memory/896-54-0x0000000000C70000-0x0000000000CF0000-memory.dmp

Filesize
512KB

Download
memory/896-56-0x0000000004670000-0x0000000004702000-memory.dmp

Filesize
584KB

Download
memory/896-55-0x0000000004580000-0x00000000045F8000-memory.dmp

Filesize
480KB

Download
memory/1412-76-0x0000000006A70000-0x0000000006B2C000-memory.dmp

Filesize
752KB

Download
memory/1412-66-0x0000000006280000-0x0000000006363000-memory.dmp

Filesize
908KB

Download
memory/1412-74-0x0000000006A70000-0x0000000006B2C000-memory.dmp

Filesize
752KB

Download
memory/1520-69-0x0000000000000000-mapping.dmp

Download
memory/1672-70-0x0000000000F30000-0x0000000000F3E000-memory.dmp

Filesize
56KB

Download
memory/1672-71-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1672-72-0x0000000002340000-0x0000000002643000-memory.dmp

Filesize
3.0MB

Download
memory/1672-73-0x0000000000970000-0x0000000000A04000-memory.dmp

Filesize
592KB

Download
memory/1672-67-0x0000000000000000-mapping.dmp

Download
memory/1672-75-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1672-68-0x0000000075851000-0x0000000075853000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads