formbook | 8c2e1cd85bbec2e5f787c6d4bc8c203790222bdb315533c97f2f43b493fb0340

General

Target

IsHwns2p3ZvIgkH.exe
Size

1.0MB
MD5

aa9bfaf0db3e099e5a4c92fa67a52217
SHA1

1a24dacdffd825a20b9dd4d7d2780c388134218b
SHA256

c694ebca2b151e70ba5f51af8b74efcd69188a423b1ae2c62c4981df1b31fbf2
SHA512

be863de492013738e504c6b29743b1332c6ca4cecd337b7d1af3c6db53297b9cdaf5727e26a59e7c3b04bc3feeae1406962c08e5f95542634a5471e027696738
SSDEEP

12288:t8kFnWxU8SOT7JqYrEcCLFng/utcSq8f4DTfvLEcp3y5we421KKYdDxry:+eZBOHAYrWqmq80fTEIC5ejdNy

Score

10^/10

formbook j2s3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j2s3

Decoy

conseptua.com

apexgclv.com

cannian.xyz

neuro-holistic-therapy.co.uk

iabcme.com

costadealisios.com

advisehalt.sbs

zlp-co.top

manchestersolarpanels.co.uk

zenhealcare.com

wyattandco.info

577ly.net

annieshallmark.online

realecovillage.online

tuncel-makina.com

5504hn.net

pulseelectronics.website

sngysstym.xyz

viajargcdk.xyz

yetiicecream.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1076-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1076-64-0x000000000041F110-mapping.dmp	formbook
behavioral1/memory/1076-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1076-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1088-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1088-80-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1776	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1500 set thread context of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1076 set thread context of 1360	1076	IsHwns2p3ZvIgkH.exe	13
PID 1076 set thread context of 1360	1076	IsHwns2p3ZvIgkH.exe	13
PID 1088 set thread context of 1360	1088	wininit.exe	13

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1076	IsHwns2p3ZvIgkH.exe
1076	IsHwns2p3ZvIgkH.exe
1076	IsHwns2p3ZvIgkH.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe
1088	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1076	IsHwns2p3ZvIgkH.exe
1076	IsHwns2p3ZvIgkH.exe
1076	IsHwns2p3ZvIgkH.exe
1076	IsHwns2p3ZvIgkH.exe
1088	wininit.exe
1088	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1076	IsHwns2p3ZvIgkH.exe
Token: SeDebugPrivilege	1088	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1360	Explorer.EXE
1360	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1500 wrote to memory of 1076	1500	IsHwns2p3ZvIgkH.exe	27
PID 1360 wrote to memory of 1088	1360	Explorer.EXE	28
PID 1360 wrote to memory of 1088	1360	Explorer.EXE	28
PID 1360 wrote to memory of 1088	1360	Explorer.EXE	28
PID 1360 wrote to memory of 1088	1360	Explorer.EXE	28
PID 1088 wrote to memory of 1776	1088	wininit.exe	29
PID 1088 wrote to memory of 1776	1088	wininit.exe	29
PID 1088 wrote to memory of 1776	1088	wininit.exe	29
PID 1088 wrote to memory of 1776	1088	wininit.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1360
- C:\Users\Admin\AppData\Local\Temp\IsHwns2p3ZvIgkH.exe
  "C:\Users\Admin\AppData\Local\Temp\IsHwns2p3ZvIgkH.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Users\Admin\AppData\Local\Temp\IsHwns2p3ZvIgkH.exe
    "C:\Users\Admin\AppData\Local\Temp\IsHwns2p3ZvIgkH.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1076
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\IsHwns2p3ZvIgkH.exe"
    3⤵
    - Deletes itself
    PID:1776

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1076-67-0x0000000000140000-0x0000000000154000-memory.dmp

Filesize
80KB

Download
memory/1076-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-70-0x0000000000230000-0x0000000000244000-memory.dmp

Filesize
80KB

Download
memory/1076-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-66-0x0000000000C50000-0x0000000000F53000-memory.dmp

Filesize
3.0MB

Download
memory/1076-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1076-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1088-78-0x0000000001EA0000-0x0000000001F33000-memory.dmp

Filesize
588KB

Download
memory/1088-75-0x0000000000600000-0x000000000061A000-memory.dmp

Filesize
104KB

Download
memory/1088-80-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1088-77-0x0000000002030000-0x0000000002333000-memory.dmp

Filesize
3.0MB

Download
memory/1088-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1360-68-0x0000000006D40000-0x0000000006ED3000-memory.dmp

Filesize
1.6MB

Download
memory/1360-81-0x0000000007300000-0x0000000007471000-memory.dmp

Filesize
1.4MB

Download
memory/1360-79-0x0000000007300000-0x0000000007471000-memory.dmp

Filesize
1.4MB

Download
memory/1360-71-0x0000000006090000-0x00000000061A7000-memory.dmp

Filesize
1.1MB

Download
memory/1500-56-0x0000000001EA0000-0x0000000001EB4000-memory.dmp

Filesize
80KB

Download
memory/1500-57-0x0000000001F90000-0x0000000001F9C000-memory.dmp

Filesize
48KB

Download
memory/1500-58-0x0000000007E80000-0x0000000007F0E000-memory.dmp

Filesize
568KB

Download
memory/1500-59-0x0000000005F90000-0x0000000005FC4000-memory.dmp

Filesize
208KB

Download
memory/1500-54-0x00000000002D0000-0x00000000003DA000-memory.dmp

Filesize
1.0MB

Download
memory/1500-55-0x0000000075B41000-0x0000000075B43000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing