formbook | ad7b11d538d1b3e39d30c7cd9523c744cd1dc061002aa38d0779b67c923b5945

General

Target

Purchase Order number n° 20220741.exe
Size

995KB
MD5

78555e148afa5a103c938dcd5da2293c
SHA1

e1a03ff97dd2ae0d2244c5694ec409de141b4d23
SHA256

ad7b11d538d1b3e39d30c7cd9523c744cd1dc061002aa38d0779b67c923b5945
SHA512

b50b7f929fceb85f30194595c86a371db00e3a5ecc92849fe06f177fbf5c5fbe01d5f0af9c79016de253c72da1ca80db0320fffc7a6aad5f640e7f68bfb133b1
SSDEEP

12288:9kY09G/Ju+/rXNzQTETwB9kzy7U0EAgcQVkN8Cs/jdv6cx:9kZG/Ju+T2ETK9+KU0UcACGv

Score

10^/10

formbook s11n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s11n

Decoy

ugokk.com

webglobalmart.com

giapponetour.com

ericdhaun.com

sewozy33.com

bgw.info

montakcha.online

rayrung.com

thebranddesi.com

liamba.fun

whatismyipaddress.online

ggg9z-a1bzgkze.kred

greatowlbooks.site

sz1992.com

coolonebr.online

xhs782.vip

fizzell.site

dwpato.xyz

pelicankids.store

gopensum.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3172-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3172-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4848-147-0x0000000000810000-0x000000000083F000-memory.dmp	formbook
behavioral2/memory/4848-152-0x0000000000810000-0x000000000083F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2276 set thread context of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 3172 set thread context of 3056	3172	Purchase Order number n° 20220741.exe	41
PID 4848 set thread context of 3056	4848	rundll32.exe	41

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3172	Purchase Order number n° 20220741.exe
3172	Purchase Order number n° 20220741.exe
3172	Purchase Order number n° 20220741.exe
3172	Purchase Order number n° 20220741.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe
4848	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3056	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3172	Purchase Order number n° 20220741.exe
3172	Purchase Order number n° 20220741.exe
3172	Purchase Order number n° 20220741.exe
4848	rundll32.exe
4848	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3172	Purchase Order number n° 20220741.exe
Token: SeDebugPrivilege	4848	rundll32.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 2276 wrote to memory of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 2276 wrote to memory of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 2276 wrote to memory of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 2276 wrote to memory of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 2276 wrote to memory of 3172	2276	Purchase Order number n° 20220741.exe	88
PID 3056 wrote to memory of 4848	3056	Explorer.EXE	89
PID 3056 wrote to memory of 4848	3056	Explorer.EXE	89
PID 3056 wrote to memory of 4848	3056	Explorer.EXE	89
PID 4848 wrote to memory of 4576	4848	rundll32.exe	90
PID 4848 wrote to memory of 4576	4848	rundll32.exe	90
PID 4848 wrote to memory of 4576	4848	rundll32.exe	90

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3056
- C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe
  "C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2276
- - C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3172
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4848
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order number n° 20220741.exe"
    3⤵
    PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2276-132-0x0000000000320000-0x0000000000420000-memory.dmp

Filesize
1024KB

Download
memory/2276-133-0x0000000005340000-0x00000000058E4000-memory.dmp

Filesize
5.6MB

Download
memory/2276-134-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/2276-135-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/2276-136-0x0000000007090000-0x000000000712C000-memory.dmp

Filesize
624KB

Download
memory/2276-137-0x00000000091C0000-0x0000000009226000-memory.dmp

Filesize
408KB

Download
memory/3056-144-0x0000000007530000-0x000000000761A000-memory.dmp

Filesize
936KB

Download
memory/3056-153-0x0000000008540000-0x0000000008621000-memory.dmp

Filesize
900KB

Download
memory/3056-151-0x0000000008540000-0x0000000008621000-memory.dmp

Filesize
900KB

Download
memory/3172-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-142-0x0000000001260000-0x00000000015AA000-memory.dmp

Filesize
3.3MB

Download
memory/3172-143-0x0000000000D00000-0x0000000000D15000-memory.dmp

Filesize
84KB

Download
memory/3172-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4848-146-0x0000000000E80000-0x0000000000E94000-memory.dmp

Filesize
80KB

Download
memory/4848-149-0x00000000027A0000-0x0000000002AEA000-memory.dmp

Filesize
3.3MB

Download
memory/4848-150-0x00000000026E0000-0x0000000002774000-memory.dmp

Filesize
592KB

Download
memory/4848-147-0x0000000000810000-0x000000000083F000-memory.dmp

Filesize
188KB

Download
memory/4848-152-0x0000000000810000-0x000000000083F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing