formbook | 59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4

General

Target

inquiry order_details.com.exe
Size

876KB
MD5

e6d120871246c094004ec3b84f1102eb
SHA1

9404257730a1c4d5db6b4a27350614b1ba840211
SHA256

59162d6533d5d56ceedd3f8a24e85e75cd198c72db5719188a4a582752d7fbe4
SHA512

8fce77b46cf277920b6b884faba48d73be8ca9c5cbcc52d551437020c7bd6d22946f61b89f943062cd41fb5d5484e995e8075d3efca8c57b7b50258b1c0a7add
SSDEEP

12288:1gdxTv//+Yuk+Ad+jGObj/Kjx2WJ2YPfOvESqLRrSfN9YnZNM0MSvhh7LUQw:10PTbTOvY21YHO8dS1Cn/M0MSvfS

Score

10^/10

formbook jn85 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jn85

Decoy

106c6423c3.com

vittoriospumpherston.co.uk

furniture-best.com

employersfindme.online

colegioagustinruiz.com

fuziservice.com

differentlokal.com

azzfasst.com

kerncereus.online

johnschottllc.com

disembark-burgeoned.click

cabliviwarranty.com

justzionism.com

diplomy-ua.top

cloudadonis.com

vaalepoxies.africa

ky2088.vip

gsportal.africa

alphastrength-us.com

homerams.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

resource	yara_rule
behavioral1/memory/952-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/952-63-0x000000000041F130-mapping.dmp	formbook
behavioral1/memory/952-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/952-73-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1664-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1664-80-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
276	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1264 set thread context of 952	1264	inquiry order_details.com.exe	28
PID 952 set thread context of 1232	952	inquiry order_details.com.exe	16
PID 952 set thread context of 1232	952	inquiry order_details.com.exe	16
PID 1664 set thread context of 1232	1664	wininit.exe	16

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
952	inquiry order_details.com.exe
952	inquiry order_details.com.exe
952	inquiry order_details.com.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe
1664	wininit.exe

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
952	inquiry order_details.com.exe
952	inquiry order_details.com.exe
952	inquiry order_details.com.exe
952	inquiry order_details.com.exe
1664	wininit.exe
1664	wininit.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	952	inquiry order_details.com.exe
Token: SeDebugPrivilege	1664	wininit.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1232	Explorer.EXE
1232	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1264 wrote to memory of 952	1264	inquiry order_details.com.exe	28
PID 1232 wrote to memory of 1664	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1664	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1664	1232	Explorer.EXE	29
PID 1232 wrote to memory of 1664	1232	Explorer.EXE	29
PID 1664 wrote to memory of 276	1664	wininit.exe	30
PID 1664 wrote to memory of 276	1664	wininit.exe	30
PID 1664 wrote to memory of 276	1664	wininit.exe	30
PID 1664 wrote to memory of 276	1664	wininit.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Users\Admin\AppData\Local\Temp\inquiry order_details.com.exe
  "C:\Users\Admin\AppData\Local\Temp\inquiry order_details.com.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1264
- - C:\Users\Admin\AppData\Local\Temp\inquiry order_details.com.exe
    "{path}"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:952
- C:\Windows\SysWOW64\wininit.exe
  "C:\Windows\SysWOW64\wininit.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\inquiry order_details.com.exe"
    3⤵
    - Deletes itself
    PID:276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/952-66-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/952-73-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-70-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/952-67-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/952-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/952-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1232-68-0x00000000046D0000-0x00000000047EF000-memory.dmp

Filesize
1.1MB

Download
memory/1232-71-0x0000000006160000-0x000000000630D000-memory.dmp

Filesize
1.7MB

Download
memory/1232-81-0x00000000047F0000-0x0000000004944000-memory.dmp

Filesize
1.3MB

Download
memory/1232-79-0x00000000047F0000-0x0000000004944000-memory.dmp

Filesize
1.3MB

Download
memory/1264-55-0x0000000076711000-0x0000000076713000-memory.dmp

Filesize
8KB

Download
memory/1264-54-0x0000000001170000-0x0000000001252000-memory.dmp

Filesize
904KB

Download
memory/1264-57-0x0000000005C90000-0x0000000005D18000-memory.dmp

Filesize
544KB

Download
memory/1264-56-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1264-58-0x0000000000500000-0x0000000000534000-memory.dmp

Filesize
208KB

Download
memory/1664-74-0x0000000000840000-0x000000000085A000-memory.dmp

Filesize
104KB

Download
memory/1664-77-0x0000000001F30000-0x0000000002233000-memory.dmp

Filesize
3.0MB

Download
memory/1664-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1664-78-0x0000000001E10000-0x0000000001EA3000-memory.dmp

Filesize
588KB

Download
memory/1664-80-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing