formbook | 59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598

General

Target

DHL Notification_pdf.exe
Size

552KB
MD5

460e1ef118f702b193363c520b492e92
SHA1

8050b0486439c773c4bab659bcb00b0a8791d534
SHA256

59d3d0d82273ee3a78483d3508a8247593a06826f8531de8ca072718e6609598
SHA512

f1283ec160231a5ae402a2718a5c0474e2a114d26f13443330a13d468bec408e52643c44c7046d0ae7c4740bb0385bcd94d169562b6443491fa0b97556c50113
SSDEEP

6144:GoxvvklriDeObYNny/B4uIr8r9I3ZYhFo6tTExJZmcUUCTO/z45Oq1FqiK0PF0ey:Z9Ynu4zZYhFHKZ+UxzU39jq

Score

10^/10

formbook j17j rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

j17j

Decoy

playphf.live

solarthinfilmtec.com

gdhaoshan.com

posh-designs.com

369andrewst.com

doverupblications.com

hengshangmei.com

decungo.com

checksinthemaiil.com

4localde.com

wetakeoveryourhousepayments.com

overcharge-center.com

mmmmmboulder.com

almaszarrin.net

enterpriseturkey.com

lanierfurniture.com

lhzb726-gw021.vip

onuiol.com

dmitrytodosyev.com

117uuu.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1072-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1072-64-0x000000000041F0A0-mapping.dmp	formbook
behavioral1/memory/1072-70-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/972-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/972-77-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1048 cmd.exe

pid	process
1048	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL Notification_pdf.exeDHL Notification_pdf.execmd.exe

description	pid	process	target process
PID 112 set thread context of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 1072 set thread context of 1380	1072	DHL Notification_pdf.exe	Explorer.EXE
PID 972 set thread context of 1380	972	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

DHL Notification_pdf.exeDHL Notification_pdf.execmd.exe

pid process

112 DHL Notification_pdf.exe
1072 DHL Notification_pdf.exe
1072 DHL Notification_pdf.exe
972 cmd.exe
972 cmd.exe
972 cmd.exe
972 cmd.exe
972 cmd.exe
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL Notification_pdf.execmd.exe

pid process

1072 DHL Notification_pdf.exe
1072 DHL Notification_pdf.exe
1072 DHL Notification_pdf.exe
972 cmd.exe
972 cmd.exe

pid	process
112	DHL Notification_pdf.exe
1072	DHL Notification_pdf.exe
1072	DHL Notification_pdf.exe
972	cmd.exe
972	cmd.exe
972	cmd.exe
972	cmd.exe
972	cmd.exe

pid	process
1072	DHL Notification_pdf.exe
1072	DHL Notification_pdf.exe
1072	DHL Notification_pdf.exe
972	cmd.exe
972	cmd.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DHL Notification_pdf.exeDHL Notification_pdf.execmd.exe

description	pid	process
Token: SeDebugPrivilege	112	DHL Notification_pdf.exe
Token: SeDebugPrivilege	1072	DHL Notification_pdf.exe
Token: SeDebugPrivilege	972	cmd.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

DHL Notification_pdf.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 112 wrote to memory of 1108	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1108	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1108	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1108	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 112 wrote to memory of 1072	112	DHL Notification_pdf.exe	DHL Notification_pdf.exe
PID 1380 wrote to memory of 972	1380	Explorer.EXE	cmd.exe
PID 1380 wrote to memory of 972	1380	Explorer.EXE	cmd.exe
PID 1380 wrote to memory of 972	1380	Explorer.EXE	cmd.exe
PID 1380 wrote to memory of 972	1380	Explorer.EXE	cmd.exe
PID 972 wrote to memory of 1048	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 1048	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 1048	972	cmd.exe	cmd.exe
PID 972 wrote to memory of 1048	972	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:112

C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe"
3⤵
PID:1108

C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe
"C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1072

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:1280

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:972

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DHL Notification_pdf.exe"
3⤵
- Deletes itself
PID:1048

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/112-55-0x0000000074C11000-0x0000000074C13000-memory.dmp

Filesize
8KB

Download
memory/112-56-0x00000000003E0000-0x00000000003F6000-memory.dmp

Filesize
88KB

Download
memory/112-57-0x00000000008D0000-0x00000000008DE000-memory.dmp

Filesize
56KB

Download
memory/112-58-0x0000000004C40000-0x0000000004CB0000-memory.dmp

Filesize
448KB

Download
memory/112-59-0x0000000002020000-0x0000000002054000-memory.dmp

Filesize
208KB

Download
memory/112-54-0x0000000000AC0000-0x0000000000B4A000-memory.dmp

Filesize
552KB

Download
memory/972-69-0x0000000000000000-mapping.dmp

Download
memory/972-77-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/972-75-0x00000000022A0000-0x0000000002334000-memory.dmp

Filesize
592KB

Download
memory/972-74-0x0000000001EF0000-0x00000000021F3000-memory.dmp

Filesize
3.0MB

Download
memory/972-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/972-72-0x000000004A510000-0x000000004A55C000-memory.dmp

Filesize
304KB

Download
memory/1048-71-0x0000000000000000-mapping.dmp

Download
memory/1072-70-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-67-0x00000000004A0000-0x00000000004B5000-memory.dmp

Filesize
84KB

Download
memory/1072-66-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/1072-64-0x000000000041F0A0-mapping.dmp

Download
memory/1072-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1072-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1380-68-0x0000000004A20000-0x0000000004B99000-memory.dmp

Filesize
1.5MB

Download
memory/1380-76-0x0000000004880000-0x0000000004985000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads