formbook | 9242b1d497cf232d201183851b93b19046929e39e5e512b87ea42f616d0784a4

General

Target

tmp.exe
Size

452KB
MD5

fe889bf209a5e139d07c128c6d0ba877
SHA1

0946646c6c1e28d9c5e48636be2c9be24866ba41
SHA256

9242b1d497cf232d201183851b93b19046929e39e5e512b87ea42f616d0784a4
SHA512

f647a27816f41b9a2aadb7d65452f9109ae60e2954fc279a6d1d4c469e83459299dcdb75402744d995aacb7f7257f72c831980ba7003873043a73c655a09f4b6
SSDEEP

1536:2qDlPCJE7I2SCQv4M/2O1DV9SA9Nayp6kZJ4PnXnaQQvMMMMMM1MMMMMIG:1S39iuYXn1Q7G

Score

10^/10

formbook my28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

my28

Decoy

family-doctor-74284.com

dublinsroofer.com

huangshi.info

learningpaths.site

enoidemusoro.africa

devcapcapacitor.com

hairbeaut.com

forgetourco.com

dekorexpressz.com

keminguesthouse.com

harstadbudtjeneste.com

49astleystreet.com

ldkj1sw.vip

mindfulchild.uk

doyuip.xyz

caseuspageamzoncustomer.com

caressentialz.co.uk

doitchannel.com

3dr8.xyz

clinrbn.ru

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1316-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1316-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1364-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1364-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1316	2040	tmp.exe	28
PID 1316 set thread context of 1244	1316	MSBuild.exe	19
PID 1364 set thread context of 1244	1364	raserver.exe	19

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1316	MSBuild.exe
1316	MSBuild.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe
1364	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1244	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1316	MSBuild.exe
1316	MSBuild.exe
1316	MSBuild.exe
1364	raserver.exe
1364	raserver.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	tmp.exe
Token: SeDebugPrivilege	1316	MSBuild.exe
Token: SeDebugPrivilege	1364	raserver.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1244	Explorer.EXE
1244	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 2040 wrote to memory of 1316	2040	tmp.exe	28
PID 1244 wrote to memory of 1364	1244	Explorer.EXE	29
PID 1244 wrote to memory of 1364	1244	Explorer.EXE	29
PID 1244 wrote to memory of 1364	1244	Explorer.EXE	29
PID 1244 wrote to memory of 1364	1244	Explorer.EXE	29
PID 1364 wrote to memory of 300	1364	raserver.exe	30
PID 1364 wrote to memory of 300	1364	raserver.exe	30
PID 1364 wrote to memory of 300	1364	raserver.exe	30
PID 1364 wrote to memory of 300	1364	raserver.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1316
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
    3⤵
    PID:300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-67-0x0000000004C90000-0x0000000004E13000-memory.dmp

Filesize
1.5MB

Download
memory/1244-80-0x0000000004E20000-0x0000000004ECA000-memory.dmp

Filesize
680KB

Download
memory/1244-78-0x0000000004E20000-0x0000000004ECA000-memory.dmp

Filesize
680KB

Download
memory/1244-77-0x0000000004E20000-0x0000000004ECA000-memory.dmp

Filesize
680KB

Download
memory/1316-66-0x00000000002D0000-0x00000000002E4000-memory.dmp

Filesize
80KB

Download
memory/1316-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-62-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1316-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-65-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/1316-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1364-68-0x0000000000DB0000-0x0000000000DCC000-memory.dmp

Filesize
112KB

Download
memory/1364-70-0x0000000000DB0000-0x0000000000DCC000-memory.dmp

Filesize
112KB

Download
memory/1364-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1364-72-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1364-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1364-76-0x0000000000870000-0x0000000000903000-memory.dmp

Filesize
588KB

Download
memory/2040-58-0x0000000000640000-0x00000000006D2000-memory.dmp

Filesize
584KB

Download
memory/2040-54-0x0000000000290000-0x0000000000306000-memory.dmp

Filesize
472KB

Download
memory/2040-57-0x0000000000500000-0x0000000000528000-memory.dmp

Filesize
160KB

Download
memory/2040-56-0x0000000008280000-0x0000000008388000-memory.dmp

Filesize
1.0MB

Download
memory/2040-55-0x0000000004D30000-0x0000000004D70000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing