formbook | fac949564f4665701edaee8c5228133b6c84842fef319a82e8909ddeaa215de6

General

Target

EFT Payment 27September.exe
Size

426KB
MD5

99128801351b81b164690fb32ddfe74f
SHA1

f8f2a0beaf18ce9311ada5ae7fd8dde3914771de
SHA256

fac949564f4665701edaee8c5228133b6c84842fef319a82e8909ddeaa215de6
SHA512

22a6f3d58634d462fd4281dbe2b975df010056bf2b385be110256430289d198640422f0a149607ad72d331bd34cf769fb09d80d22b05da4817d6d1c6db2f91bb
SSDEEP

6144:EKTmSHR5ZwZv+Wxt5+3GE4msba3k4kwsEYA8Ki:XT/x5Zw1+WlA2Vb4kJbEYu

Score

10^/10

formbook tg49 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tg49

Decoy

497338.com

shoptickr.win

support.academy

cloud123.top

manhattanmaintenance.site

sustainabilityblock.com

mertbnkae.city

letshookup.site

aqiqahkarawang.site

play-demoslot-coktogel.app

taikatarot.info

insanxarakterleri.com

bobdoessport.co

inexecution-oarsman.net

aspirationit.com

88bet2255.com

northbowlodge.com

downjc.com

diecastcoin.site

pubiliweb.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2028-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2028-62-0x000000000041F130-mapping.dmp	formbook
behavioral1/memory/2028-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1072-70-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1072-76-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1128 set thread context of 2028	1128	EFT Payment 27September.exe	27
PID 2028 set thread context of 1284	2028	aspnet_compiler.exe	13
PID 1072 set thread context of 1284	1072	systray.exe	13

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2028	aspnet_compiler.exe
2028	aspnet_compiler.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe
1072	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1284	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2028	aspnet_compiler.exe
2028	aspnet_compiler.exe
2028	aspnet_compiler.exe
1072	systray.exe
1072	systray.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	aspnet_compiler.exe
Token: SeDebugPrivilege	1072	systray.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1284	Explorer.EXE
1284	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1128 wrote to memory of 2028	1128	EFT Payment 27September.exe	27
PID 1284 wrote to memory of 1072	1284	Explorer.EXE	28
PID 1284 wrote to memory of 1072	1284	Explorer.EXE	28
PID 1284 wrote to memory of 1072	1284	Explorer.EXE	28
PID 1284 wrote to memory of 1072	1284	Explorer.EXE	28
PID 1072 wrote to memory of 580	1072	systray.exe	29
PID 1072 wrote to memory of 580	1072	systray.exe	29
PID 1072 wrote to memory of 580	1072	systray.exe	29
PID 1072 wrote to memory of 580	1072	systray.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1284
- C:\Users\Admin\AppData\Local\Temp\EFT Payment 27September.exe
  "C:\Users\Admin\AppData\Local\Temp\EFT Payment 27September.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"
    3⤵
    PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1072-73-0x0000000001D90000-0x0000000001E23000-memory.dmp

Filesize
588KB

Download
memory/1072-70-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1072-76-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1072-69-0x00000000006F0000-0x00000000006F5000-memory.dmp

Filesize
20KB

Download
memory/1072-72-0x0000000001F60000-0x0000000002263000-memory.dmp

Filesize
3.0MB

Download
memory/1128-57-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/1128-54-0x0000000000AE0000-0x0000000000B48000-memory.dmp

Filesize
416KB

Download
memory/1128-56-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1128-55-0x0000000000470000-0x0000000000476000-memory.dmp

Filesize
24KB

Download
memory/1284-74-0x0000000004100000-0x00000000041DB000-memory.dmp

Filesize
876KB

Download
memory/1284-67-0x0000000005F90000-0x00000000060A6000-memory.dmp

Filesize
1.1MB

Download
memory/1284-75-0x0000000005F90000-0x00000000060A6000-memory.dmp

Filesize
1.1MB

Download
memory/1284-77-0x0000000004100000-0x00000000041DB000-memory.dmp

Filesize
876KB

Download
memory/2028-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-66-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/2028-65-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/2028-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-58-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing