formbook | ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538

General

Target

PO KIPO000903 KIND122822.exe
Size

636KB
MD5

3b61d04e555f74f42e22c71a5885ac71
SHA1

9c774e98b87394627d311a552d8bde85d57b327c
SHA256

ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538
SHA512

f7363fa7857e791e6fd9320fba7c1d3927fd4c0aa6a7935a88ffabd747323f0e93d12a8f3c4be2625606e86c8f612e4271ef9ee41848d3bf2a8bdc4fed328f70
SSDEEP

12288:yucKpbKbf92TXwpL3sMcIobFB5BD8tVvkwkrscPA3QR+:yF4bKOORcIoxBDr1P/

Score

10^/10

formbook d94i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3748-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3748-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3608-148-0x0000000000B20000-0x0000000000B4F000-memory.dmp	formbook
behavioral2/memory/3608-151-0x0000000000B20000-0x0000000000B4F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

PO KIPO000903 KIND122822.exePO KIPO000903 KIND122822.exehelp.exe

description	pid	process	target process
PID 1036 set thread context of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 3748 set thread context of 2712	3748	PO KIPO000903 KIND122822.exe	Explorer.EXE
PID 3608 set thread context of 2712	3608	help.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

PO KIPO000903 KIND122822.exehelp.exe

pid	process
3748	PO KIPO000903 KIND122822.exe
3748	PO KIPO000903 KIND122822.exe
3748	PO KIPO000903 KIND122822.exe
3748	PO KIPO000903 KIND122822.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe
3608	help.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

PO KIPO000903 KIND122822.exehelp.exe

pid process

3748 PO KIPO000903 KIND122822.exe
3748 PO KIPO000903 KIND122822.exe
3748 PO KIPO000903 KIND122822.exe
3608 help.exe
3608 help.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

PO KIPO000903 KIND122822.exehelp.exe

description pid process

Token: SeDebugPrivilege 3748 PO KIPO000903 KIND122822.exe
Token: SeDebugPrivilege 3608 help.exe

description	pid	process
Token: SeDebugPrivilege	3748	PO KIPO000903 KIND122822.exe
Token: SeDebugPrivilege	3608	help.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

PO KIPO000903 KIND122822.exeExplorer.EXEhelp.exe

description	pid	process	target process
PID 1036 wrote to memory of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 1036 wrote to memory of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 1036 wrote to memory of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 1036 wrote to memory of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 1036 wrote to memory of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 1036 wrote to memory of 3748	1036	PO KIPO000903 KIND122822.exe	PO KIPO000903 KIND122822.exe
PID 2712 wrote to memory of 3608	2712	Explorer.EXE	help.exe
PID 2712 wrote to memory of 3608	2712	Explorer.EXE	help.exe
PID 2712 wrote to memory of 3608	2712	Explorer.EXE	help.exe
PID 3608 wrote to memory of 3424	3608	help.exe	cmd.exe
PID 3608 wrote to memory of 3424	3608	help.exe	cmd.exe
PID 3608 wrote to memory of 3424	3608	help.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:2712

C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
"C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1036

C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
"C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3748

C:\Windows\SysWOW64\help.exe
"C:\Windows\SysWOW64\help.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3608

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
3⤵
PID:3424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-133-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/1036-134-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/1036-135-0x0000000005840000-0x000000000584A000-memory.dmp

Filesize
40KB

Download
memory/1036-136-0x00000000092D0000-0x000000000936C000-memory.dmp

Filesize
624KB

Download
memory/1036-132-0x0000000000DD0000-0x0000000000E76000-memory.dmp

Filesize
664KB

Download
memory/2712-142-0x0000000002C60000-0x0000000002DF7000-memory.dmp

Filesize
1.6MB

Download
memory/2712-152-0x0000000002E00000-0x0000000002EBD000-memory.dmp

Filesize
756KB

Download
memory/2712-150-0x0000000002E00000-0x0000000002EBD000-memory.dmp

Filesize
756KB

Download
memory/3424-145-0x0000000000000000-mapping.dmp

Download
memory/3608-148-0x0000000000B20000-0x0000000000B4F000-memory.dmp

Filesize
188KB

Download
memory/3608-143-0x0000000000000000-mapping.dmp

Download
memory/3608-146-0x0000000000980000-0x0000000000987000-memory.dmp

Filesize
28KB

Download
memory/3608-147-0x0000000001390000-0x00000000016DA000-memory.dmp

Filesize
3.3MB

Download
memory/3608-149-0x00000000016E0000-0x0000000001773000-memory.dmp

Filesize
588KB

Download
memory/3608-151-0x0000000000B20000-0x0000000000B4F000-memory.dmp

Filesize
188KB

Download
memory/3748-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-141-0x0000000001620000-0x0000000001634000-memory.dmp

Filesize
80KB

Download
memory/3748-139-0x0000000001680000-0x00000000019CA000-memory.dmp

Filesize
3.3MB

Download
memory/3748-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3748-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads