formbook | 51df534958124aa2bdf39d17923291312a9b2c693520ba381eaecffee9ba1487

General

Target

INVS #14320023.exe
Size

832KB
MD5

5e87bb63fb7409f0de2dbc75fb2500a4
SHA1

5d3d56dfa64c89905fcf0b4386fca6eb2bb452de
SHA256

9cd7ca54fc2b418d2f82093ed798cdd02478830c5b3fb956e59dd2d325e55682
SHA512

54bf90406ba1a71b5e824173e54a94f924301c8d0fefc254872400fb6e2dafe5deff1c5bc6f4df4f2f0feaca131e24caa18e46bd98bac9ff2b0ec1fcb1cfff55
SSDEEP

12288:0zAuodiJGRTwdW1bjsMluDOmaPrkTQWvmi8suUq2Lz3Xp2cHUwJ8ER06nghD:aoYJTsVpuDOmkomsBz3Xp2qJjR06n

Score

10^/10

formbook dr62 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dr62

Decoy

juanbrujo.com

toptasker.africa

g-labs.one

1redbuckpermonth.com

lasolutions.online

beginagainmen.com

iearn.site

leading-car.ru

codigosindiabetes.fun

6y8ud.bond

fptmarket.shop

ctjhxv3.vip

huluxia2.xyz

piggg08.uk

kms-pico-tools.com

westonandcate.com

giftrendz.com

kqwdhrendfywefdst.top

anchitchoudhary.com

sistemodasi.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4604-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4604-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1676-149-0x00000000005C0000-0x00000000005EF000-memory.dmp	formbook
behavioral2/memory/1676-151-0x00000000005C0000-0x00000000005EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 4604	2200	INVS #14320023.exe	95
PID 4604 set thread context of 3144	4604	INVS #14320023.exe	70
PID 1676 set thread context of 3144	1676	NETSTAT.EXE	70

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
1676	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4604	INVS #14320023.exe
4604	INVS #14320023.exe
4604	INVS #14320023.exe
4604	INVS #14320023.exe
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE
1676	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3144	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4604	INVS #14320023.exe
4604	INVS #14320023.exe
4604	INVS #14320023.exe
1676	NETSTAT.EXE
1676	NETSTAT.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	INVS #14320023.exe
Token: SeDebugPrivilege	1676	NETSTAT.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 4604	2200	INVS #14320023.exe	95
PID 2200 wrote to memory of 4604	2200	INVS #14320023.exe	95
PID 2200 wrote to memory of 4604	2200	INVS #14320023.exe	95
PID 2200 wrote to memory of 4604	2200	INVS #14320023.exe	95
PID 2200 wrote to memory of 4604	2200	INVS #14320023.exe	95
PID 2200 wrote to memory of 4604	2200	INVS #14320023.exe	95
PID 3144 wrote to memory of 1676	3144	Explorer.EXE	96
PID 3144 wrote to memory of 1676	3144	Explorer.EXE	96
PID 3144 wrote to memory of 1676	3144	Explorer.EXE	96
PID 1676 wrote to memory of 1440	1676	NETSTAT.EXE	97
PID 1676 wrote to memory of 1440	1676	NETSTAT.EXE	97
PID 1676 wrote to memory of 1440	1676	NETSTAT.EXE	97

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3144
- C:\Users\Admin\AppData\Local\Temp\INVS #14320023.exe
  "C:\Users\Admin\AppData\Local\Temp\INVS #14320023.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\INVS #14320023.exe
    "C:\Users\Admin\AppData\Local\Temp\INVS #14320023.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4604
- C:\Windows\SysWOW64\NETSTAT.EXE
  "C:\Windows\SysWOW64\NETSTAT.EXE"
  2⤵
  - Suspicious use of SetThreadContext
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\INVS #14320023.exe"
    3⤵
    PID:1440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1676-147-0x0000000000590000-0x000000000059B000-memory.dmp

Filesize
44KB

Download
memory/1676-153-0x0000000001240000-0x00000000012D3000-memory.dmp

Filesize
588KB

Download
memory/1676-151-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1676-149-0x00000000005C0000-0x00000000005EF000-memory.dmp

Filesize
188KB

Download
memory/1676-150-0x0000000000EF0000-0x000000000123A000-memory.dmp

Filesize
3.3MB

Download
memory/1676-148-0x0000000000590000-0x000000000059B000-memory.dmp

Filesize
44KB

Download
memory/2200-138-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2200-135-0x0000000005470000-0x0000000005502000-memory.dmp

Filesize
584KB

Download
memory/2200-134-0x0000000005980000-0x0000000005F24000-memory.dmp

Filesize
5.6MB

Download
memory/2200-136-0x0000000005420000-0x000000000542A000-memory.dmp

Filesize
40KB

Download
memory/2200-137-0x00000000056A0000-0x00000000056B0000-memory.dmp

Filesize
64KB

Download
memory/2200-133-0x0000000000AC0000-0x0000000000B94000-memory.dmp

Filesize
848KB

Download
memory/2200-139-0x0000000008100000-0x000000000819C000-memory.dmp

Filesize
624KB

Download
memory/3144-146-0x0000000002C40000-0x0000000002CFF000-memory.dmp

Filesize
764KB

Download
memory/3144-154-0x0000000008570000-0x0000000008657000-memory.dmp

Filesize
924KB

Download
memory/3144-155-0x0000000008570000-0x0000000008657000-memory.dmp

Filesize
924KB

Download
memory/4604-145-0x0000000001E60000-0x0000000001E74000-memory.dmp

Filesize
80KB

Download
memory/4604-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4604-143-0x0000000001A50000-0x0000000001D9A000-memory.dmp

Filesize
3.3MB

Download

Analysis

Sharing