formbook | ec575764d7f4c1d71e94424356c2be92323fe7ede123018ad6ac642cd6501ee0

General

Target

Grupo Mexcalito - solicitud de consulta.exe
Size

776KB
MD5

bee037b6270d1273245a8b48b34d41b3
SHA1

8b38bb3e6ea4029e0a982d973e84e19d31bee874
SHA256

aede92f4a3b6c3925049513e0594089cdb92d1a62d6f40bf4874f20fe813b878
SHA512

07fe40cc47ebed7322fca066bef007c954f2eb742fa2a8b2a520b16e533b3815d1be420e701e67cede283dcd531dbf2b9f0f410f99f426ecd8da00a0927b8800
SSDEEP

12288:82iNz44dL/qGlyncIodlgEzD/z+4HTnb8AGxM:81GwGgScbDL+4HkM

Score

10^/10

formbook vo84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vo84

Decoy

laurenciavachulova.one

sabuilders.store

masxot.xyz

matchfail.com

suararakyatnews.net

kykm.rest

richardsmartinezh.site

morehouseweneedyou.com

depressivepawnclub.xyz

yenilenme.net

allhiejralstore.com

9993808.com

sleepshastra.com

weplay-classic.com

propertyofpalestine.com

onirica.club

yohelios.com

fcorruption.com

tongdans.top

richmondmassage.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/1800-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1800-64-0x000000000041F090-mapping.dmp	formbook
behavioral1/memory/1800-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1800-74-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1752-78-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook
behavioral1/memory/1752-82-0x00000000000E0000-0x000000000010F000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1116	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2044 set thread context of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 1800 set thread context of 1340	1800	Grupo Mexcalito - solicitud de consulta.exe	19
PID 1800 set thread context of 1340	1800	Grupo Mexcalito - solicitud de consulta.exe	19
PID 1752 set thread context of 1340	1752	control.exe	19

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
1800	Grupo Mexcalito - solicitud de consulta.exe
1800	Grupo Mexcalito - solicitud de consulta.exe
1800	Grupo Mexcalito - solicitud de consulta.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe
1752	control.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1800	Grupo Mexcalito - solicitud de consulta.exe
1800	Grupo Mexcalito - solicitud de consulta.exe
1800	Grupo Mexcalito - solicitud de consulta.exe
1800	Grupo Mexcalito - solicitud de consulta.exe
1752	control.exe
1752	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1800	Grupo Mexcalito - solicitud de consulta.exe
Token: SeDebugPrivilege	1752	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1340	Explorer.EXE
1340	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1340	Explorer.EXE
1340	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 2044 wrote to memory of 1800	2044	Grupo Mexcalito - solicitud de consulta.exe	26
PID 1800 wrote to memory of 1752	1800	Grupo Mexcalito - solicitud de consulta.exe	27
PID 1800 wrote to memory of 1752	1800	Grupo Mexcalito - solicitud de consulta.exe	27
PID 1800 wrote to memory of 1752	1800	Grupo Mexcalito - solicitud de consulta.exe	27
PID 1800 wrote to memory of 1752	1800	Grupo Mexcalito - solicitud de consulta.exe	27
PID 1752 wrote to memory of 1116	1752	control.exe	28
PID 1752 wrote to memory of 1116	1752	control.exe	28
PID 1752 wrote to memory of 1116	1752	control.exe	28
PID 1752 wrote to memory of 1116	1752	control.exe	28

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1340
- C:\Users\Admin\AppData\Local\Temp\Grupo Mexcalito - solicitud de consulta.exe
  "C:\Users\Admin\AppData\Local\Temp\Grupo Mexcalito - solicitud de consulta.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Users\Admin\AppData\Local\Temp\Grupo Mexcalito - solicitud de consulta.exe
    "C:\Users\Admin\AppData\Local\Temp\Grupo Mexcalito - solicitud de consulta.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1752
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\Grupo Mexcalito - solicitud de consulta.exe"
        5⤵
        Deletes itself
        
        PID:1116

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1340-69-0x0000000004940000-0x0000000004A26000-memory.dmp

Filesize
920KB

Download
memory/1340-83-0x0000000004150000-0x000000000420B000-memory.dmp

Filesize
748KB

Download
memory/1340-81-0x0000000004150000-0x000000000420B000-memory.dmp

Filesize
748KB

Download
memory/1340-72-0x0000000004C10000-0x0000000004D6A000-memory.dmp

Filesize
1.4MB

Download
memory/1752-82-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1752-80-0x0000000001D60000-0x0000000001DF4000-memory.dmp

Filesize
592KB

Download
memory/1752-78-0x00000000000E0000-0x000000000010F000-memory.dmp

Filesize
188KB

Download
memory/1752-79-0x0000000001E60000-0x0000000002163000-memory.dmp

Filesize
3.0MB

Download
memory/1752-77-0x0000000000040000-0x000000000005F000-memory.dmp

Filesize
124KB

Download
memory/1800-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-67-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/1800-71-0x0000000000200000-0x0000000000215000-memory.dmp

Filesize
84KB

Download
memory/1800-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-74-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1800-68-0x00000000001B0000-0x00000000001C5000-memory.dmp

Filesize
84KB

Download
memory/1800-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2044-54-0x0000000001030000-0x00000000010F8000-memory.dmp

Filesize
800KB

Download
memory/2044-59-0x0000000000B90000-0x0000000000BC4000-memory.dmp

Filesize
208KB

Download
memory/2044-58-0x0000000004FE0000-0x000000000506E000-memory.dmp

Filesize
568KB

Download
memory/2044-57-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/2044-56-0x00000000002B0000-0x00000000002C4000-memory.dmp

Filesize
80KB

Download
memory/2044-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing