formbook | 9453f03883b60dbbaa033c3529dcf915e2ad8e01939913092f0b64938f2eaf12

General

Target

Original Shipping documents.exe
Size

785KB
MD5

d511e5a0e42309e6148b3e7f6b9e5bcf
SHA1

858aade78f8463bca167656c81022f20a7535fb9
SHA256

342215db36f2fa15a4b72d54cb4e7a7179462dcaab9dc9f791336df867d6d286
SHA512

ea71544cdc672051dd8b04fb5ec08853fd2c04994b93a1fc1d61f5efcd2a18ac63f01dd9fb64a398eac1e701762aff019886a2baebf971ec4be4aee4b8ea381d
SSDEEP

24576:IrxN5IC54TWMnp74YTKza8D7ajPhVoo6dlSA:Etgim8QeLmPIvdn

Score

10^/10

formbook gg62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gg62

Decoy

growfast.africa

lerema.com

38945.se

wheelfermotors.africa

giftshareforyou.online

burrismktg.com

keepgrowing.uk

efefhomeless.buzz

bryanokoh.com

fashion-clothing-40094.com

andreasunshine.com

naijahood.africa

aditrirealty.com

kinnoitodatsumou.com

cryptoqzclimax.com

hairly.biz

comeuphither4.com

integrity360.ltd

flushywhole.com

8869365.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/64-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/64-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4264-146-0x0000000000AC0000-0x0000000000AEF000-memory.dmp	formbook
behavioral2/memory/4264-151-0x0000000000AC0000-0x0000000000AEF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Original Shipping documents.exeOriginal Shipping documents.exemsdt.exe

description	pid	process	target process
PID 1080 set thread context of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 64 set thread context of 2824	64	Original Shipping documents.exe	Explorer.EXE
PID 4264 set thread context of 2824	4264	msdt.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

Original Shipping documents.exemsdt.exe

pid	process
64	Original Shipping documents.exe
64	Original Shipping documents.exe
64	Original Shipping documents.exe
64	Original Shipping documents.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe
4264	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2824 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Original Shipping documents.exemsdt.exe

pid process

64 Original Shipping documents.exe
64 Original Shipping documents.exe
64 Original Shipping documents.exe
4264 msdt.exe
4264 msdt.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Original Shipping documents.exemsdt.exe

description pid process

Token: SeDebugPrivilege 64 Original Shipping documents.exe
Token: SeDebugPrivilege 4264 msdt.exe

pid	process
2824	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	64	Original Shipping documents.exe
Token: SeDebugPrivilege	4264	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Original Shipping documents.exeExplorer.EXEmsdt.exe

description	pid	process	target process
PID 1080 wrote to memory of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 1080 wrote to memory of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 1080 wrote to memory of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 1080 wrote to memory of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 1080 wrote to memory of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 1080 wrote to memory of 64	1080	Original Shipping documents.exe	Original Shipping documents.exe
PID 2824 wrote to memory of 4264	2824	Explorer.EXE	msdt.exe
PID 2824 wrote to memory of 4264	2824	Explorer.EXE	msdt.exe
PID 2824 wrote to memory of 4264	2824	Explorer.EXE	msdt.exe
PID 4264 wrote to memory of 1956	4264	msdt.exe	cmd.exe
PID 4264 wrote to memory of 1956	4264	msdt.exe	cmd.exe
PID 4264 wrote to memory of 1956	4264	msdt.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2824

C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe
"C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1080

C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe
"C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:64

C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Original Shipping documents.exe"
3⤵
PID:1956

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/64-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/64-137-0x0000000000000000-mapping.dmp

Download
memory/64-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/64-140-0x0000000001950000-0x0000000001C9A000-memory.dmp

Filesize
3.3MB

Download
memory/64-141-0x0000000001470000-0x0000000001484000-memory.dmp

Filesize
80KB

Download
memory/1080-133-0x0000000005D10000-0x00000000062B4000-memory.dmp

Filesize
5.6MB

Download
memory/1080-134-0x0000000005800000-0x0000000005892000-memory.dmp

Filesize
584KB

Download
memory/1080-135-0x00000000058A0000-0x00000000058AA000-memory.dmp

Filesize
40KB

Download
memory/1080-136-0x00000000094C0000-0x000000000955C000-memory.dmp

Filesize
624KB

Download
memory/1080-132-0x0000000000D90000-0x0000000000E5A000-memory.dmp

Filesize
808KB

Download
memory/1956-148-0x0000000000000000-mapping.dmp

Download
memory/2824-142-0x0000000003290000-0x0000000003375000-memory.dmp

Filesize
916KB

Download
memory/2824-150-0x0000000008550000-0x00000000086A1000-memory.dmp

Filesize
1.3MB

Download
memory/2824-152-0x0000000008550000-0x00000000086A1000-memory.dmp

Filesize
1.3MB

Download
memory/4264-143-0x0000000000000000-mapping.dmp

Download
memory/4264-145-0x0000000000EE0000-0x0000000000F37000-memory.dmp

Filesize
348KB

Download
memory/4264-146-0x0000000000AC0000-0x0000000000AEF000-memory.dmp

Filesize
188KB

Download
memory/4264-147-0x0000000002D80000-0x00000000030CA000-memory.dmp

Filesize
3.3MB

Download
memory/4264-149-0x0000000002960000-0x00000000029F3000-memory.dmp

Filesize
588KB

Download
memory/4264-151-0x0000000000AC0000-0x0000000000AEF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads