formbook | 2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5

General

Target

PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
Size

737KB
MD5

5a31e71dbdb0b31c5af2b1c1c32936ce
SHA1

aecf6320581856198779afec0c1e816961e9757d
SHA256

2358f255cb8390a108fca6934209b56e8f72eb08dbb3708431c449fffe8338e5
SHA512

0bd1fc5ded778006ebbc2d6e9288dd5665b26bebb209d7ba40e8a08aa8c36eda35ef227b39958b493f06a06ddbea477b571332b2dd86c67c0806d71bf128341b
SSDEEP

12288:A79xzQKbXOJz0XXLyw+5iCxJ2rvvLTr8aSVd1Jkx1r7HrcFxJ+O2NimOMt+:lfz0HAiCubvLTar1Jkx1r7HrcFmO2NiQ

Score

10^/10

formbook c29i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c29i

Decoy

chrestheryulelog.com

awesomecustomerservice.com

4455m.net

vonek76k.com

zwelishaprojects.africa

bbangnmoolgogi.com

howickmenswears.com

ba225.com

ipl2018livescore.com

ohprovider.co.uk

handymanservices.shop

1wzxtq.top

busy-people-gifts.com

invited.rsvp

heihei.fun

micloudlogin.page

hwyi1319.com

alitechnologyes.com

hysminai.com

liuyikj.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/696-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/696-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/404-151-0x0000000000610000-0x000000000063F000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 4996 set thread context of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 696 set thread context of 3116	696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	52

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

pid	Process
404	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
404	ipconfig.exe
404	ipconfig.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3116	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	696	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
Token: SeDebugPrivilege	404	ipconfig.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4996 wrote to memory of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 4996 wrote to memory of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 4996 wrote to memory of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 4996 wrote to memory of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 4996 wrote to memory of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 4996 wrote to memory of 696	4996	PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe	93
PID 3116 wrote to memory of 404	3116	Explorer.EXE	94
PID 3116 wrote to memory of 404	3116	Explorer.EXE	94
PID 3116 wrote to memory of 404	3116	Explorer.EXE	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3116
- C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
  "C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4996
- - C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe
    "C:\Users\Admin\AppData\Local\Temp\PRE ALERT KUL-BKI PNUE00951848 4511679901 Maritime n Industrial AE 455681 264-43349902 N7351 20 NOV - DDP TERMS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:696
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\SysWOW64\ipconfig.exe"
  2⤵
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/404-146-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/404-152-0x0000000000DC0000-0x000000000110A000-memory.dmp

Filesize
3.3MB

Download
memory/404-151-0x0000000000610000-0x000000000063F000-memory.dmp

Filesize
188KB

Download
memory/404-148-0x00000000002A0000-0x00000000002AB000-memory.dmp

Filesize
44KB

Download
memory/696-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/696-143-0x00000000019B0000-0x0000000001CFA000-memory.dmp

Filesize
3.3MB

Download
memory/696-144-0x0000000001E50000-0x0000000001E64000-memory.dmp

Filesize
80KB

Download
memory/3116-145-0x0000000009650000-0x0000000009794000-memory.dmp

Filesize
1.3MB

Download
memory/4996-138-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4996-139-0x00000000099E0000-0x0000000009A7C000-memory.dmp

Filesize
624KB

Download
memory/4996-137-0x00000000055F0000-0x0000000005600000-memory.dmp

Filesize
64KB

Download
memory/4996-133-0x0000000000AF0000-0x0000000000BAE000-memory.dmp

Filesize
760KB

Download
memory/4996-136-0x0000000005500000-0x000000000550A000-memory.dmp

Filesize
40KB

Download
memory/4996-135-0x0000000005440000-0x00000000054D2000-memory.dmp

Filesize
584KB

Download
memory/4996-134-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing