formbook | 8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897

General

Target

file.exe
Size

880KB
MD5

b334b3f51ba68fe25f487850ee9710ed
SHA1

ea18a63daa9f0b55a96e70bf9e45838f48b56b92
SHA256

8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897
SHA512

2c653f016428898c75ac85b891ad3b0c98fb80e0b46786773c2af95d0ad18fec13755d9f0ad316186f827ce04454738217789babeb8cd735af1c322fae091450
SSDEEP

24576:8RiMfoGdmgFQCIdv/H5e7w7En1gSp4T79j:4QGdlehdH5e7w7EnOSCP

Score

10^/10

formbook dv22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2152-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2152-143-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2152-146-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1776-150-0x00000000008E0000-0x000000000090F000-memory.dmp	formbook
behavioral2/memory/1776-155-0x00000000008E0000-0x000000000090F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

file.exefile.exewlanext.exe

description	pid	process	target process
PID 4124 set thread context of 2152	4124	file.exe	file.exe
PID 2152 set thread context of 964	2152	file.exe	Explorer.EXE
PID 2152 set thread context of 964	2152	file.exe	Explorer.EXE
PID 1776 set thread context of 964	1776	wlanext.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

file.exewlanext.exe

pid	process
2152	file.exe
2152	file.exe
2152	file.exe
2152	file.exe
2152	file.exe
2152	file.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe
1776	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

964 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

file.exewlanext.exe

pid process

2152 file.exe
2152 file.exe
2152 file.exe
2152 file.exe
1776 wlanext.exe
1776 wlanext.exe

pid	process
964	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

file.exewlanext.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	2152	file.exe
Token: SeDebugPrivilege	1776	wlanext.exe
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE
Token: SeShutdownPrivilege	964	Explorer.EXE
Token: SeCreatePagefilePrivilege	964	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

file.exefile.exewlanext.exe

description	pid	process	target process
PID 4124 wrote to memory of 2152	4124	file.exe	file.exe
PID 4124 wrote to memory of 2152	4124	file.exe	file.exe
PID 4124 wrote to memory of 2152	4124	file.exe	file.exe
PID 4124 wrote to memory of 2152	4124	file.exe	file.exe
PID 4124 wrote to memory of 2152	4124	file.exe	file.exe
PID 4124 wrote to memory of 2152	4124	file.exe	file.exe
PID 2152 wrote to memory of 1776	2152	file.exe	wlanext.exe
PID 2152 wrote to memory of 1776	2152	file.exe	wlanext.exe
PID 2152 wrote to memory of 1776	2152	file.exe	wlanext.exe
PID 1776 wrote to memory of 3580	1776	wlanext.exe	cmd.exe
PID 1776 wrote to memory of 3580	1776	wlanext.exe	cmd.exe
PID 1776 wrote to memory of 3580	1776	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:964
- C:\Users\Admin\AppData\Local\Temp\file.exe
  "C:\Users\Admin\AppData\Local\Temp\file.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4124
- - C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2152
  - - C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      4⤵
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1776
    - - C:\Windows\SysWOW64\cmd.exe
        
        /c del "C:\Users\Admin\AppData\Local\Temp\file.exe"
        5⤵
        
        PID:3580
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:4816

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-142-0x0000000008BE0000-0x0000000008CD8000-memory.dmp

Filesize
992KB

Download
memory/964-156-0x0000000008EE0000-0x0000000008FAE000-memory.dmp

Filesize
824KB

Download
memory/964-154-0x0000000008EE0000-0x0000000008FAE000-memory.dmp

Filesize
824KB

Download
memory/964-147-0x0000000008BE0000-0x0000000008CD8000-memory.dmp

Filesize
992KB

Download
memory/964-145-0x0000000008DB0000-0x0000000008EDB000-memory.dmp

Filesize
1.2MB

Download
memory/1776-151-0x0000000001050000-0x000000000139A000-memory.dmp

Filesize
3.3MB

Download
memory/1776-148-0x0000000000000000-mapping.dmp

Download
memory/1776-153-0x0000000000F20000-0x0000000000FB3000-memory.dmp

Filesize
588KB

Download
memory/1776-150-0x00000000008E0000-0x000000000090F000-memory.dmp

Filesize
188KB

Download
memory/1776-149-0x0000000000050000-0x0000000000067000-memory.dmp

Filesize
92KB

Download
memory/1776-155-0x00000000008E0000-0x000000000090F000-memory.dmp

Filesize
188KB

Download
memory/2152-144-0x0000000001760000-0x0000000001774000-memory.dmp

Filesize
80KB

Download
memory/2152-143-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2152-137-0x0000000000000000-mapping.dmp

Download
memory/2152-141-0x0000000001700000-0x0000000001714000-memory.dmp

Filesize
80KB

Download
memory/2152-139-0x0000000001390000-0x00000000016DA000-memory.dmp

Filesize
3.3MB

Download
memory/3580-152-0x0000000000000000-mapping.dmp

Download
memory/4124-135-0x0000000005150000-0x000000000515A000-memory.dmp

Filesize
40KB

Download
memory/4124-132-0x0000000000620000-0x0000000000700000-memory.dmp

Filesize
896KB

Download
memory/4124-134-0x00000000050B0000-0x0000000005142000-memory.dmp

Filesize
584KB

Download
memory/4124-136-0x00000000077E0000-0x000000000787C000-memory.dmp

Filesize
624KB

Download
memory/4124-133-0x00000000055C0000-0x0000000005B64000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads