formbook | dc0f8440e9ae92761e5e833b22c2448fb0f2900f9a184e823b299c74db5c1085

General

Target

DSX_AIR_.exe
Size

764KB
MD5

2a7e5440b5fb19ba09cfcce1afe85e0f
SHA1

122b7e5c3496c9e7ff528ae800526876c090050d
SHA256

dc0f8440e9ae92761e5e833b22c2448fb0f2900f9a184e823b299c74db5c1085
SHA512

2d313577170221cbf9bb6dd0439f76506c3a4d0d88370af8b350363748953d01847906c0e04c1c09d3e7f2500cb648ee7a21167bcafd0fbe278e2bf700a92ac2
SSDEEP

12288:Ut4gOMtEwcU3gZ+GQzjkATGdszyZtHZlCmWhrjKYQDJxuv64GEabMhwHJ7GPzlfK:uRO6AAgZbQzlGIyZFggDJKES2J7GPzly

Score

10^/10

formbook gg62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gg62

Decoy

growfast.africa

lerema.com

38945.se

wheelfermotors.africa

giftshareforyou.online

burrismktg.com

keepgrowing.uk

efefhomeless.buzz

bryanokoh.com

fashion-clothing-40094.com

andreasunshine.com

naijahood.africa

aditrirealty.com

kinnoitodatsumou.com

cryptoqzclimax.com

hairly.biz

comeuphither4.com

integrity360.ltd

flushywhole.com

8869365.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/388-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/388-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1012-148-0x0000000000E10000-0x0000000000E3F000-memory.dmp	formbook
behavioral2/memory/1012-152-0x0000000000E10000-0x0000000000E3F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

DSX_AIR_.exeDSX_AIR_.exeWWAHost.exe

description	pid	process	target process
PID 4664 set thread context of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 388 set thread context of 684	388	DSX_AIR_.exe	Explorer.EXE
PID 1012 set thread context of 684	1012	WWAHost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 48 IoCs

Processes:

DSX_AIR_.exeDSX_AIR_.exeWWAHost.exe

pid	process
4664	DSX_AIR_.exe
4664	DSX_AIR_.exe
4664	DSX_AIR_.exe
4664	DSX_AIR_.exe
388	DSX_AIR_.exe
388	DSX_AIR_.exe
388	DSX_AIR_.exe
388	DSX_AIR_.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe
1012	WWAHost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

684 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

DSX_AIR_.exeWWAHost.exe

pid process

388 DSX_AIR_.exe
388 DSX_AIR_.exe
388 DSX_AIR_.exe
1012 WWAHost.exe
1012 WWAHost.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

DSX_AIR_.exeDSX_AIR_.exeWWAHost.exe

description pid process

Token: SeDebugPrivilege 4664 DSX_AIR_.exe
Token: SeDebugPrivilege 388 DSX_AIR_.exe
Token: SeDebugPrivilege 1012 WWAHost.exe

pid	process
684	Explorer.EXE

pid	process
388	DSX_AIR_.exe
388	DSX_AIR_.exe
388	DSX_AIR_.exe
1012	WWAHost.exe
1012	WWAHost.exe

description	pid	process
Token: SeDebugPrivilege	4664	DSX_AIR_.exe
Token: SeDebugPrivilege	388	DSX_AIR_.exe
Token: SeDebugPrivilege	1012	WWAHost.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

DSX_AIR_.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 4664 wrote to memory of 1084	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 1084	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 1084	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 3420	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 3420	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 3420	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 4664 wrote to memory of 388	4664	DSX_AIR_.exe	DSX_AIR_.exe
PID 684 wrote to memory of 1012	684	Explorer.EXE	WWAHost.exe
PID 684 wrote to memory of 1012	684	Explorer.EXE	WWAHost.exe
PID 684 wrote to memory of 1012	684	Explorer.EXE	WWAHost.exe
PID 1012 wrote to memory of 2316	1012	WWAHost.exe	cmd.exe
PID 1012 wrote to memory of 2316	1012	WWAHost.exe	cmd.exe
PID 1012 wrote to memory of 2316	1012	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:684

C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe
"C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4664

C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe
"C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe"
3⤵
PID:1084

C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe
"C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe"
3⤵
PID:3420

C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe
"C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:388

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1012

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\DSX_AIR_.exe"
3⤵
PID:2316

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/388-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/388-144-0x0000000000EA0000-0x0000000000EB4000-memory.dmp

Filesize
80KB

Download
memory/388-143-0x0000000000EC0000-0x000000000120A000-memory.dmp

Filesize
3.3MB

Download
memory/388-139-0x0000000000000000-mapping.dmp

Download
memory/388-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/684-155-0x00000000081F0000-0x00000000082AE000-memory.dmp

Filesize
760KB

Download
memory/684-154-0x00000000081F0000-0x00000000082AE000-memory.dmp

Filesize
760KB

Download
memory/684-151-0x0000000003010000-0x00000000030D7000-memory.dmp

Filesize
796KB

Download
memory/684-145-0x0000000003010000-0x00000000030D7000-memory.dmp

Filesize
796KB

Download
memory/1012-148-0x0000000000E10000-0x0000000000E3F000-memory.dmp

Filesize
188KB

Download
memory/1012-152-0x0000000000E10000-0x0000000000E3F000-memory.dmp

Filesize
188KB

Download
memory/1012-153-0x0000000001F40000-0x0000000001FD3000-memory.dmp

Filesize
588KB

Download
memory/1012-150-0x0000000002040000-0x000000000238A000-memory.dmp

Filesize
3.3MB

Download
memory/1012-146-0x0000000000000000-mapping.dmp

Download
memory/1012-147-0x0000000000F60000-0x000000000103C000-memory.dmp

Filesize
880KB

Download
memory/1084-137-0x0000000000000000-mapping.dmp

Download
memory/2316-149-0x0000000000000000-mapping.dmp

Download
memory/3420-138-0x0000000000000000-mapping.dmp

Download
memory/4664-132-0x00000000007E0000-0x00000000008A6000-memory.dmp

Filesize
792KB

Download
memory/4664-136-0x0000000008F70000-0x000000000900C000-memory.dmp

Filesize
624KB

Download
memory/4664-135-0x00000000050F0000-0x00000000050FA000-memory.dmp

Filesize
40KB

Download
memory/4664-134-0x0000000005160000-0x00000000051F2000-memory.dmp

Filesize
584KB

Download
memory/4664-133-0x00000000057E0000-0x0000000005D84000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads