formbook | 9e308c465f428be79179482a5f233ac50211cfb39deb493d9a3a5143d13acda7

General

Target

DHL Consignment Details_pdf.exe
Size

933KB
MD5

aab1518e80d1e2ae3415ffcd2cedee87
SHA1

6be8247d09abdb0c5567e2d23f8850c531f60a04
SHA256

9e308c465f428be79179482a5f233ac50211cfb39deb493d9a3a5143d13acda7
SHA512

2d13b9e13c6e30515eaadc138b44865db3888144332dd96e544fb1e0e80beb8319fc5e7f1c864a3e356e991f2d89095186074c13ba8551dee41dadf5046b48f4
SSDEEP

12288:t/cr2iNrq/vvvGn9Uy6mZUeV7llAsG7qgxxRUsAgOL5YKeshB+LByqzNMP1gURVN:2r1w09Uy6FSPdG7qw7U1hB+LBI

Score

10^/10

formbook s20g rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s20g

Decoy

coconutdap.com

pukka-party.co.uk

apexrp.dev

boostmycredit.info

bipobofficial.com

bjl009.com

kagoshimum.com

crtinha.xyz

longsteephill.co.uk

forfour4.com

adversata.com

lesaek.ru

chafang3.xyz

haungo.net

mynextgen.africa

credit-cards-45560.com

cnc-printing.com

antoniafredrik.se

likemedclinic.ru

gyeakoncert.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3808-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3808-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1724-146-0x0000000000A20000-0x0000000000A4F000-memory.dmp	formbook
behavioral2/memory/1724-149-0x0000000000A20000-0x0000000000A4F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

DHL Consignment Details_pdf.exeDHL Consignment Details_pdf.execscript.exe

description	pid	process	target process
PID 2420 set thread context of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 3808 set thread context of 3060	3808	DHL Consignment Details_pdf.exe	Explorer.EXE
PID 1724 set thread context of 3060	1724	cscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

DHL Consignment Details_pdf.execscript.exe

pid	process
3808	DHL Consignment Details_pdf.exe
3808	DHL Consignment Details_pdf.exe
3808	DHL Consignment Details_pdf.exe
3808	DHL Consignment Details_pdf.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe
1724	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3060 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DHL Consignment Details_pdf.execscript.exe

pid process

3808 DHL Consignment Details_pdf.exe
3808 DHL Consignment Details_pdf.exe
3808 DHL Consignment Details_pdf.exe
1724 cscript.exe
1724 cscript.exe

pid	process
3060	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

DHL Consignment Details_pdf.exeExplorer.EXEcscript.exe

description	pid	process
Token: SeDebugPrivilege	3808	DHL Consignment Details_pdf.exe
Token: SeShutdownPrivilege	3060	Explorer.EXE
Token: SeCreatePagefilePrivilege	3060	Explorer.EXE
Token: SeDebugPrivilege	1724	cscript.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

DHL Consignment Details_pdf.exeExplorer.EXEcscript.exe

description	pid	process	target process
PID 2420 wrote to memory of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 2420 wrote to memory of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 2420 wrote to memory of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 2420 wrote to memory of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 2420 wrote to memory of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 2420 wrote to memory of 3808	2420	DHL Consignment Details_pdf.exe	DHL Consignment Details_pdf.exe
PID 3060 wrote to memory of 1724	3060	Explorer.EXE	cscript.exe
PID 3060 wrote to memory of 1724	3060	Explorer.EXE	cscript.exe
PID 3060 wrote to memory of 1724	3060	Explorer.EXE	cscript.exe
PID 1724 wrote to memory of 3664	1724	cscript.exe	cmd.exe
PID 1724 wrote to memory of 3664	1724	cscript.exe	cmd.exe
PID 1724 wrote to memory of 3664	1724	cscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3060
- C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3808
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1724
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\DHL Consignment Details_pdf.exe"
    3⤵
    PID:3664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1724-144-0x0000000000000000-mapping.dmp

Download
memory/1724-150-0x00000000029C0000-0x0000000002A53000-memory.dmp

Filesize
588KB

Download
memory/1724-149-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1724-148-0x0000000002A70000-0x0000000002DBA000-memory.dmp

Filesize
3.3MB

Download
memory/1724-146-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/1724-145-0x0000000000AC0000-0x0000000000AE7000-memory.dmp

Filesize
156KB

Download
memory/2420-133-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/2420-134-0x0000000004CB0000-0x0000000004D42000-memory.dmp

Filesize
584KB

Download
memory/2420-135-0x0000000004C50000-0x0000000004C5A000-memory.dmp

Filesize
40KB

Download
memory/2420-136-0x0000000004F10000-0x0000000004FAC000-memory.dmp

Filesize
624KB

Download
memory/2420-132-0x00000000001C0000-0x00000000002B0000-memory.dmp

Filesize
960KB

Download
memory/3060-143-0x0000000008340000-0x0000000008459000-memory.dmp

Filesize
1.1MB

Download
memory/3060-151-0x0000000008900000-0x0000000008A6D000-memory.dmp

Filesize
1.4MB

Download
memory/3060-152-0x0000000008900000-0x0000000008A6D000-memory.dmp

Filesize
1.4MB

Download
memory/3664-147-0x0000000000000000-mapping.dmp

Download
memory/3808-142-0x0000000001350000-0x0000000001364000-memory.dmp

Filesize
80KB

Download
memory/3808-141-0x00000000013C0000-0x000000000170A000-memory.dmp

Filesize
3.3MB

Download
memory/3808-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3808-137-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads