formbook | 1e9b2dab23e487f9f8442ab474b4ec7b56d5bbeca861d37c936a6bbbe2e84bdb

General

Target

DHL Invoice Details_pdf.exe
Size

828KB
MD5

384579444926fb62ca870190509ec096
SHA1

818529123f2462098799b6c4dc4aeadda6c170ef
SHA256

1e9b2dab23e487f9f8442ab474b4ec7b56d5bbeca861d37c936a6bbbe2e84bdb
SHA512

ac05a72fc5d0d1254e67c99ccac8673b823aaa98051f69d4b4f84f42eae00ba4acece648fd232e1e80958af3f1dd200358a02c33384d53271d9b1d76ae28a43a
SSDEEP

12288:NwjAs0BRyNr08FI6LouQMQaMjoHmS8A/K17TQoLi8ILTcs/:NwjAs0BROk1kmS897koLi8IH

Score

10^/10

formbook d10a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d10a

Decoy

tprgamesslot.com

1wautomarketing.shop

jnfc.bar

reelestate.info

coolvenead.buzz

am2pmconstruction.com

casasbh-digital.com

kmzu.info

magabestonline.com

evdirect.net

utaxi.app

gamemakr.tech

klsxofficial.com

qfaw.mom

bwchosting.com

joseli.xyz

carnelianintimates.com

manarnews.site

axacpe.click

pinupmeals.click

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/580-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/580-64-0x000000000041F060-mapping.dmp	formbook
behavioral1/memory/580-70-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/584-74-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/584-78-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1520	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1600 set thread context of 580	1600	DHL Invoice Details_pdf.exe	27
PID 580 set thread context of 1208	580	DHL Invoice Details_pdf.exe	9
PID 584 set thread context of 1208	584	control.exe	9

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
580	DHL Invoice Details_pdf.exe
580	DHL Invoice Details_pdf.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe
584	control.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1208	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
580	DHL Invoice Details_pdf.exe
580	DHL Invoice Details_pdf.exe
580	DHL Invoice Details_pdf.exe
584	control.exe
584	control.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	580	DHL Invoice Details_pdf.exe
Token: SeDebugPrivilege	584	control.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1208	Explorer.EXE
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1600 wrote to memory of 580	1600	DHL Invoice Details_pdf.exe	27
PID 1208 wrote to memory of 584	1208	Explorer.EXE	28
PID 1208 wrote to memory of 584	1208	Explorer.EXE	28
PID 1208 wrote to memory of 584	1208	Explorer.EXE	28
PID 1208 wrote to memory of 584	1208	Explorer.EXE	28
PID 584 wrote to memory of 1520	584	control.exe	29
PID 584 wrote to memory of 1520	584	control.exe	29
PID 584 wrote to memory of 1520	584	control.exe	29
PID 584 wrote to memory of 1520	584	control.exe	29

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1600
- - C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:580
- C:\Windows\SysWOW64\control.exe
  "C:\Windows\SysWOW64\control.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\DHL Invoice Details_pdf.exe"
    3⤵
    - Deletes itself
    PID:1520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-67-0x0000000000290000-0x00000000002A5000-memory.dmp

Filesize
84KB

Download
memory/580-66-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download
memory/580-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-74-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/584-78-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/584-76-0x0000000001DC0000-0x0000000001E54000-memory.dmp

Filesize
592KB

Download
memory/584-75-0x0000000001FF0000-0x00000000022F3000-memory.dmp

Filesize
3.0MB

Download
memory/584-73-0x00000000004E0000-0x00000000004FF000-memory.dmp

Filesize
124KB

Download
memory/1208-68-0x0000000004D20000-0x0000000004E18000-memory.dmp

Filesize
992KB

Download
memory/1208-77-0x0000000007CE0000-0x0000000007E71000-memory.dmp

Filesize
1.6MB

Download
memory/1208-79-0x0000000007CE0000-0x0000000007E71000-memory.dmp

Filesize
1.6MB

Download
memory/1208-80-0x000007FEFA860000-0x000007FEFA9A3000-memory.dmp

Filesize
1.3MB

Download
memory/1208-81-0x000007FEA0130000-0x000007FEA013A000-memory.dmp

Filesize
40KB

Download
memory/1600-55-0x00000000752B1000-0x00000000752B3000-memory.dmp

Filesize
8KB

Download
memory/1600-59-0x0000000000EA0000-0x0000000000ED4000-memory.dmp

Filesize
208KB

Download
memory/1600-56-0x00000000003C0000-0x00000000003DA000-memory.dmp

Filesize
104KB

Download
memory/1600-54-0x0000000000F00000-0x0000000000FD6000-memory.dmp

Filesize
856KB

Download
memory/1600-57-0x00000000002B0000-0x00000000002BC000-memory.dmp

Filesize
48KB

Download
memory/1600-58-0x0000000000690000-0x000000000071E000-memory.dmp

Filesize
568KB

Download

Analysis

Sharing