formbook | f2a0159fafd3bdbe6b457f8f724e142c8cfd9cb0eb02b508729cc7e3c42cf593

General

Target

tmp.exe
Size

812KB
MD5

909d921710d0a5bc4ddfacb0ced137bf
SHA1

fdea869c122579b91b37eb9c30208645191375b1
SHA256

f2a0159fafd3bdbe6b457f8f724e142c8cfd9cb0eb02b508729cc7e3c42cf593
SHA512

afc37126846a38d7118fbcc44358f4b9d45a3ce5ad4fa4b1ef7ae65660b05cf0a3ca7f39a2da09eca5ac55eccdf09ea016ed076ee66ead0232b49ce0a94b68c2
SSDEEP

12288:9RWl0W42kA3TOGU2ybvNTjhFG8KBvqKT8B8IHhp2TBS:iw2kQ6GTaFGDBvBCLBpAS

Score

10^/10

formbook sde7 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sde7

Decoy

lolfilmfestival.com

pousdaobosque.com

tangierfilm.com

valuedassist.com

qcrluxuryrentals.com

poc4cloudx.com

irizh.art

flowsever.com

serios-lifestyle.com

abc-diomain.com

bmwoemwarehouse.com

vivelamoda.com

thesycorax.online

goodjob129.com

hudyeanamaze.com

pabcp.com

millennialworkouts.com

gpcr-compound-library.com

rotyupin.xyz

hnkcsm.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4348-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4348-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4428-147-0x00000000010D0000-0x00000000010FF000-memory.dmp	formbook
behavioral2/memory/4428-153-0x00000000010D0000-0x00000000010FF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1856 set thread context of 4348	1856	tmp.exe	88
PID 4348 set thread context of 2864	4348	tmp.exe	54
PID 4428 set thread context of 2864	4428	ipconfig.exe	54

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
4428	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
4348	tmp.exe
4348	tmp.exe
4348	tmp.exe
4348	tmp.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe
4428	ipconfig.exe

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4348	tmp.exe
4348	tmp.exe
4348	tmp.exe
4428	ipconfig.exe
4428	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4348	tmp.exe
Token: SeShutdownPrivilege	2864	Explorer.EXE
Token: SeCreatePagefilePrivilege	2864	Explorer.EXE
Token: SeDebugPrivilege	4428	ipconfig.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 4348	1856	tmp.exe	88
PID 1856 wrote to memory of 4348	1856	tmp.exe	88
PID 1856 wrote to memory of 4348	1856	tmp.exe	88
PID 1856 wrote to memory of 4348	1856	tmp.exe	88
PID 1856 wrote to memory of 4348	1856	tmp.exe	88
PID 1856 wrote to memory of 4348	1856	tmp.exe	88
PID 2864 wrote to memory of 4428	2864	Explorer.EXE	91
PID 2864 wrote to memory of 4428	2864	Explorer.EXE	91
PID 2864 wrote to memory of 4428	2864	Explorer.EXE	91
PID 4428 wrote to memory of 2284	4428	ipconfig.exe	92
PID 4428 wrote to memory of 2284	4428	ipconfig.exe	92
PID 4428 wrote to memory of 2284	4428	ipconfig.exe	92

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1856
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4348
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3668
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    PID:2284

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1856-133-0x0000000006060000-0x0000000006604000-memory.dmp

Filesize
5.6MB

Download
memory/1856-134-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/1856-135-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download
memory/1856-136-0x0000000009610000-0x00000000096AC000-memory.dmp

Filesize
624KB

Download
memory/1856-137-0x00000000096C0000-0x0000000009726000-memory.dmp

Filesize
408KB

Download
memory/1856-132-0x0000000000F70000-0x0000000001040000-memory.dmp

Filesize
832KB

Download
memory/2864-144-0x0000000007F20000-0x0000000008041000-memory.dmp

Filesize
1.1MB

Download
memory/2864-154-0x0000000008110000-0x0000000008276000-memory.dmp

Filesize
1.4MB

Download
memory/2864-152-0x0000000008110000-0x0000000008276000-memory.dmp

Filesize
1.4MB

Download
memory/2864-150-0x0000000007F20000-0x0000000008041000-memory.dmp

Filesize
1.1MB

Download
memory/4348-143-0x0000000001740000-0x0000000001754000-memory.dmp

Filesize
80KB

Download
memory/4348-142-0x00000000018A0000-0x0000000001BEA000-memory.dmp

Filesize
3.3MB

Download
memory/4348-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4348-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4428-146-0x0000000000050000-0x000000000005B000-memory.dmp

Filesize
44KB

Download
memory/4428-147-0x00000000010D0000-0x00000000010FF000-memory.dmp

Filesize
188KB

Download
memory/4428-148-0x0000000001840000-0x0000000001B8A000-memory.dmp

Filesize
3.3MB

Download
memory/4428-151-0x0000000001790000-0x0000000001823000-memory.dmp

Filesize
588KB

Download
memory/4428-153-0x00000000010D0000-0x00000000010FF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing