formbook | 8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897

General

Target

file.exe
Size

880KB
MD5

b334b3f51ba68fe25f487850ee9710ed
SHA1

ea18a63daa9f0b55a96e70bf9e45838f48b56b92
SHA256

8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897
SHA512

2c653f016428898c75ac85b891ad3b0c98fb80e0b46786773c2af95d0ad18fec13755d9f0ad316186f827ce04454738217789babeb8cd735af1c322fae091450
SSDEEP

24576:8RiMfoGdmgFQCIdv/H5e7w7En1gSp4T79j:4QGdlehdH5e7w7EnOSCP

Score

10^/10

formbook dv22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1744-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1744-64-0x000000000041F140-mapping.dmp	formbook
behavioral1/memory/1744-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/668-74-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/668-78-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1932 cmd.exe

pid	process
1932	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

file.exefile.exeraserver.exe

description	pid	process	target process
PID 1460 set thread context of 1744	1460	file.exe	file.exe
PID 1744 set thread context of 1208	1744	file.exe	Explorer.EXE
PID 668 set thread context of 1208	668	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 17 IoCs

Processes:

file.exeraserver.exe

pid	process
1744	file.exe
1744	file.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe
668	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

file.exeraserver.exe

pid process

1744 file.exe
1744 file.exe
1744 file.exe
668 raserver.exe
668 raserver.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

file.exeraserver.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1744 file.exe
Token: SeDebugPrivilege 668 raserver.exe
Token: SeShutdownPrivilege 1208 Explorer.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE
1208 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

1208 Explorer.EXE

pid	process
1208	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1744	file.exe
Token: SeDebugPrivilege	668	raserver.exe
Token: SeShutdownPrivilege	1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE
1208	Explorer.EXE

pid	process
1208	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

file.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1460 wrote to memory of 1744	1460	file.exe	file.exe
PID 1208 wrote to memory of 668	1208	Explorer.EXE	raserver.exe
PID 1208 wrote to memory of 668	1208	Explorer.EXE	raserver.exe
PID 1208 wrote to memory of 668	1208	Explorer.EXE	raserver.exe
PID 1208 wrote to memory of 668	1208	Explorer.EXE	raserver.exe
PID 668 wrote to memory of 1932	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 1932	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 1932	668	raserver.exe	cmd.exe
PID 668 wrote to memory of 1932	668	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1460

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1744

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:668

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\file.exe"
3⤵
- Deletes itself
PID:1932

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-73-0x0000000000150000-0x000000000016C000-memory.dmp

Filesize
112KB

Download
memory/668-70-0x0000000000000000-mapping.dmp

Download
memory/668-74-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/668-75-0x0000000001F70000-0x0000000002273000-memory.dmp

Filesize
3.0MB

Download
memory/668-76-0x0000000001EC0000-0x0000000001F53000-memory.dmp

Filesize
588KB

Download
memory/668-78-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1208-79-0x0000000004360000-0x000000000442B000-memory.dmp

Filesize
812KB

Download
memory/1208-77-0x0000000004360000-0x000000000442B000-memory.dmp

Filesize
812KB

Download
memory/1208-69-0x0000000004D00000-0x0000000004E3D000-memory.dmp

Filesize
1.2MB

Download
memory/1460-59-0x0000000000C20000-0x0000000000C54000-memory.dmp

Filesize
208KB

Download
memory/1460-58-0x0000000005510000-0x0000000005580000-memory.dmp

Filesize
448KB

Download
memory/1460-54-0x00000000012C0000-0x00000000013A0000-memory.dmp

Filesize
896KB

Download
memory/1460-57-0x0000000000270000-0x000000000027E000-memory.dmp

Filesize
56KB

Download
memory/1460-56-0x0000000000250000-0x0000000000266000-memory.dmp

Filesize
88KB

Download
memory/1460-55-0x0000000075D01000-0x0000000075D03000-memory.dmp

Filesize
8KB

Download
memory/1744-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-68-0x00000000003D0000-0x00000000003E4000-memory.dmp

Filesize
80KB

Download
memory/1744-67-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1744-64-0x000000000041F140-mapping.dmp

Download
memory/1744-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1744-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1932-72-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads