formbook | 8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897

General

Target

tmp.exe
Size

880KB
MD5

b334b3f51ba68fe25f487850ee9710ed
SHA1

ea18a63daa9f0b55a96e70bf9e45838f48b56b92
SHA256

8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897
SHA512

2c653f016428898c75ac85b891ad3b0c98fb80e0b46786773c2af95d0ad18fec13755d9f0ad316186f827ce04454738217789babeb8cd735af1c322fae091450
SSDEEP

24576:8RiMfoGdmgFQCIdv/H5e7w7En1gSp4T79j:4QGdlehdH5e7w7EnOSCP

Score

10^/10

formbook dv22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4228-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4228-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4164-146-0x0000000000500000-0x000000000052F000-memory.dmp	formbook
behavioral2/memory/4164-151-0x0000000000500000-0x000000000052F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.exewlanext.exe

description	pid	process	target process
PID 1904 set thread context of 4228	1904	tmp.exe	tmp.exe
PID 4228 set thread context of 3044	4228	tmp.exe	Explorer.EXE
PID 4164 set thread context of 3044	4164	wlanext.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 40 IoCs

Processes:

tmp.exewlanext.exe

pid	process
4228	tmp.exe
4228	tmp.exe
4228	tmp.exe
4228	tmp.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe
4164	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3044 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tmp.exewlanext.exe

pid process

4228 tmp.exe
4228 tmp.exe
4228 tmp.exe
4164 wlanext.exe
4164 wlanext.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

tmp.exewlanext.exe

description pid process

Token: SeDebugPrivilege 4228 tmp.exe
Token: SeDebugPrivilege 4164 wlanext.exe

pid	process
3044	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4228	tmp.exe
Token: SeDebugPrivilege	4164	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

tmp.exeExplorer.EXEwlanext.exe

description	pid	process	target process
PID 1904 wrote to memory of 4228	1904	tmp.exe	tmp.exe
PID 1904 wrote to memory of 4228	1904	tmp.exe	tmp.exe
PID 1904 wrote to memory of 4228	1904	tmp.exe	tmp.exe
PID 1904 wrote to memory of 4228	1904	tmp.exe	tmp.exe
PID 1904 wrote to memory of 4228	1904	tmp.exe	tmp.exe
PID 1904 wrote to memory of 4228	1904	tmp.exe	tmp.exe
PID 3044 wrote to memory of 4164	3044	Explorer.EXE	wlanext.exe
PID 3044 wrote to memory of 4164	3044	Explorer.EXE	wlanext.exe
PID 3044 wrote to memory of 4164	3044	Explorer.EXE	wlanext.exe
PID 4164 wrote to memory of 4260	4164	wlanext.exe	cmd.exe
PID 4164 wrote to memory of 4260	4164	wlanext.exe	cmd.exe
PID 4164 wrote to memory of 4260	4164	wlanext.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4228

C:\Windows\SysWOW64\wlanext.exe
"C:\Windows\SysWOW64\wlanext.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4164

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
3⤵
PID:4260

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1904-133-0x0000000005CB0000-0x0000000006254000-memory.dmp

Filesize
5.6MB

Download
memory/1904-134-0x0000000005700000-0x0000000005792000-memory.dmp

Filesize
584KB

Download
memory/1904-135-0x0000000005680000-0x000000000568A000-memory.dmp

Filesize
40KB

Download
memory/1904-136-0x0000000008050000-0x00000000080EC000-memory.dmp

Filesize
624KB

Download
memory/1904-132-0x0000000000C00000-0x0000000000CE0000-memory.dmp

Filesize
896KB

Download
memory/3044-143-0x00000000080B0000-0x00000000081B6000-memory.dmp

Filesize
1.0MB

Download
memory/3044-152-0x00000000081C0000-0x0000000008302000-memory.dmp

Filesize
1.3MB

Download
memory/3044-150-0x00000000081C0000-0x0000000008302000-memory.dmp

Filesize
1.3MB

Download
memory/4164-148-0x0000000000CD0000-0x000000000101A000-memory.dmp

Filesize
3.3MB

Download
memory/4164-144-0x0000000000000000-mapping.dmp

Download
memory/4164-145-0x0000000000CB0000-0x0000000000CC7000-memory.dmp

Filesize
92KB

Download
memory/4164-146-0x0000000000500000-0x000000000052F000-memory.dmp

Filesize
188KB

Download
memory/4164-149-0x0000000000B40000-0x0000000000BD3000-memory.dmp

Filesize
588KB

Download
memory/4164-151-0x0000000000500000-0x000000000052F000-memory.dmp

Filesize
188KB

Download
memory/4228-142-0x0000000001600000-0x0000000001614000-memory.dmp

Filesize
80KB

Download
memory/4228-141-0x0000000001630000-0x000000000197A000-memory.dmp

Filesize
3.3MB

Download
memory/4228-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4228-137-0x0000000000000000-mapping.dmp

Download
memory/4260-147-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads