formbook | 9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570

General

Target

tmp.exe
Size

631KB
MD5

7d6ff1922141c5a973665b8fbf23ad28
SHA1

d3e359ba67218bc6ee10a87fb4e5f4d811f2b8cd
SHA256

9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570
SHA512

009cb7a687d11300a01ebf506abd0d91bc43b199ac8bea0155cfc9c86ae19640fbb2422ed4390ee2c0b4ffa7501849b6e225bbd25300d032e107e7a03baede7e
SSDEEP

12288:AwhuJ1Qvhzps7LZ3CUlebztjq7dfaveSS8Ol7amatoVYX9csg87:zuJWs7LZoztjqTS5Ol7akVYXy5

Score

10^/10

formbook d06c rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4120-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4120-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4120-148-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1656-151-0x0000000001200000-0x000000000122F000-memory.dmp	formbook
behavioral2/memory/1656-153-0x0000000001200000-0x000000000122F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

tmp.exetmp.exemsdt.exe

description	pid	process	target process
PID 5112 set thread context of 4120	5112	tmp.exe	tmp.exe
PID 4120 set thread context of 2432	4120	tmp.exe	Explorer.EXE
PID 4120 set thread context of 2432	4120	tmp.exe	Explorer.EXE
PID 1656 set thread context of 2432	1656	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

tmp.exetmp.exemsdt.exe

pid	process
5112	tmp.exe
5112	tmp.exe
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe
1656	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2432 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

tmp.exemsdt.exe

pid process

4120 tmp.exe
4120 tmp.exe
4120 tmp.exe
4120 tmp.exe
1656 msdt.exe
1656 msdt.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exetmp.exemsdt.exe

description pid process

Token: SeDebugPrivilege 5112 tmp.exe
Token: SeDebugPrivilege 4120 tmp.exe
Token: SeDebugPrivilege 1656 msdt.exe

pid	process
2432	Explorer.EXE

pid	process
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
4120	tmp.exe
1656	msdt.exe
1656	msdt.exe

description	pid	process
Token: SeDebugPrivilege	5112	tmp.exe
Token: SeDebugPrivilege	4120	tmp.exe
Token: SeDebugPrivilege	1656	msdt.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 5112 wrote to memory of 4676	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4676	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4676	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4120	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4120	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4120	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4120	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4120	5112	tmp.exe	tmp.exe
PID 5112 wrote to memory of 4120	5112	tmp.exe	tmp.exe
PID 2432 wrote to memory of 1656	2432	Explorer.EXE	msdt.exe
PID 2432 wrote to memory of 1656	2432	Explorer.EXE	msdt.exe
PID 2432 wrote to memory of 1656	2432	Explorer.EXE	msdt.exe
PID 1656 wrote to memory of 2012	1656	msdt.exe	cmd.exe
PID 1656 wrote to memory of 2012	1656	msdt.exe	cmd.exe
PID 1656 wrote to memory of 2012	1656	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2432

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5112

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:4676

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2512

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1756

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1776

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2356

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2636

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1504

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1372

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:2012

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1656-154-0x0000000003100000-0x0000000003193000-memory.dmp

Filesize
588KB

Download
memory/1656-153-0x0000000001200000-0x000000000122F000-memory.dmp

Filesize
188KB

Download
memory/1656-152-0x0000000003320000-0x000000000366A000-memory.dmp

Filesize
3.3MB

Download
memory/1656-150-0x0000000000090000-0x00000000000E7000-memory.dmp

Filesize
348KB

Download
memory/1656-151-0x0000000001200000-0x000000000122F000-memory.dmp

Filesize
188KB

Download
memory/1656-147-0x0000000000000000-mapping.dmp

Download
memory/2012-149-0x0000000000000000-mapping.dmp

Download
memory/2432-146-0x0000000007CC0000-0x0000000007E38000-memory.dmp

Filesize
1.5MB

Download
memory/2432-156-0x0000000007E40000-0x0000000007FAC000-memory.dmp

Filesize
1.4MB

Download
memory/2432-155-0x0000000007E40000-0x0000000007FAC000-memory.dmp

Filesize
1.4MB

Download
memory/2432-143-0x00000000076F0000-0x00000000077FE000-memory.dmp

Filesize
1.1MB

Download
memory/4120-138-0x0000000000000000-mapping.dmp

Download
memory/4120-145-0x00000000018A0000-0x00000000018B4000-memory.dmp

Filesize
80KB

Download
memory/4120-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-142-0x00000000013F0000-0x0000000001404000-memory.dmp

Filesize
80KB

Download
memory/4120-148-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-141-0x0000000001420000-0x000000000176A000-memory.dmp

Filesize
3.3MB

Download
memory/4120-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4676-137-0x0000000000000000-mapping.dmp

Download
memory/5112-132-0x0000000000E90000-0x0000000000F34000-memory.dmp

Filesize
656KB

Download
memory/5112-136-0x0000000008430000-0x00000000084CC000-memory.dmp

Filesize
624KB

Download
memory/5112-135-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/5112-134-0x00000000058C0000-0x0000000005952000-memory.dmp

Filesize
584KB

Download
memory/5112-133-0x0000000005FC0000-0x0000000006564000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads