formbook | a1fc12e0b11dc727c1e4f58da908d512b2ea1fb69cc317e024390440807d62eb

General

Target

invoice.exe
Size

624KB
MD5

fcf70baef57eab612fce7b21dc2a5410
SHA1

93c16bc1445bb7fcabbe32ec19653d5b849ba2f3
SHA256

a1fc12e0b11dc727c1e4f58da908d512b2ea1fb69cc317e024390440807d62eb
SHA512

c0eb203304c71897786162add97302546971ba758abdbefb5ce20293a453adba3a21fbe0abfb3af23943bd5cca3817463a5c63b1a1e313306f7fc1fd5dc2510a
SSDEEP

12288:HqUKm0e+ay2vZtiHDETS3AgRwbTKGpKO1:PKm0apvZt4DnAB6F

Score

10^/10

formbook m82 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m82

Decoy

jamesdevereux.com

artificialturfminneapolis.com

hongmeiyan.com

lojaderoupasbr.com

yit.africa

austinrelocationexpert.com

saiva.page

exitsategy.com

chochonux.com

klosterbraeu-unterliezheim.com

byseymanur.com

sblwarwickshire.co.uk

brazimaid.com

ciogame.com

bronzesailing.com

dwkapl.xyz

022dyd.com

compassandpathwriting.com

alphabet1x.com

selfcleaninghairbrush.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4544-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4544-145-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4544-152-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4840-154-0x0000000000F70000-0x0000000000F9F000-memory.dmp	formbook
behavioral2/memory/4840-158-0x0000000000F70000-0x0000000000F9F000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

invoice.exeRegSvcs.exesystray.exe

description	pid	process	target process
PID 2028 set thread context of 4544	2028	invoice.exe	RegSvcs.exe
PID 4544 set thread context of 3212	4544	RegSvcs.exe	Explorer.EXE
PID 4544 set thread context of 3212	4544	RegSvcs.exe	Explorer.EXE
PID 4840 set thread context of 3212	4840	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 38 IoCs

Processes:

invoice.exeRegSvcs.exesystray.exe

pid	process
2028	invoice.exe
2028	invoice.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe
4840	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3212 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

RegSvcs.exesystray.exe

pid process

4544 RegSvcs.exe
4544 RegSvcs.exe
4544 RegSvcs.exe
4544 RegSvcs.exe
4840 systray.exe
4840 systray.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

invoice.exeRegSvcs.exesystray.exe

description pid process

Token: SeDebugPrivilege 2028 invoice.exe
Token: SeDebugPrivilege 4544 RegSvcs.exe
Token: SeDebugPrivilege 4840 systray.exe

pid	process
3212	Explorer.EXE

pid	process
4544	RegSvcs.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4544	RegSvcs.exe
4840	systray.exe
4840	systray.exe

description	pid	process
Token: SeDebugPrivilege	2028	invoice.exe
Token: SeDebugPrivilege	4544	RegSvcs.exe
Token: SeDebugPrivilege	4840	systray.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

invoice.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2028 wrote to memory of 4544	2028	invoice.exe	RegSvcs.exe
PID 2028 wrote to memory of 4544	2028	invoice.exe	RegSvcs.exe
PID 2028 wrote to memory of 4544	2028	invoice.exe	RegSvcs.exe
PID 2028 wrote to memory of 4544	2028	invoice.exe	RegSvcs.exe
PID 2028 wrote to memory of 4544	2028	invoice.exe	RegSvcs.exe
PID 2028 wrote to memory of 4544	2028	invoice.exe	RegSvcs.exe
PID 3212 wrote to memory of 4840	3212	Explorer.EXE	systray.exe
PID 3212 wrote to memory of 4840	3212	Explorer.EXE	systray.exe
PID 3212 wrote to memory of 4840	3212	Explorer.EXE	systray.exe
PID 4840 wrote to memory of 4240	4840	systray.exe	cmd.exe
PID 4840 wrote to memory of 4240	4840	systray.exe	cmd.exe
PID 4840 wrote to memory of 4240	4840	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3212

C:\Users\Admin\AppData\Local\Temp\invoice.exe
"C:\Users\Admin\AppData\Local\Temp\invoice.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4544

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4840

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
3⤵
PID:4240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-134-0x0000000000360000-0x0000000000402000-memory.dmp

Filesize
648KB

Download
memory/2028-135-0x0000000005350000-0x00000000058F4000-memory.dmp

Filesize
5.6MB

Download
memory/2028-136-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/2028-137-0x0000000004DE0000-0x0000000004DEA000-memory.dmp

Filesize
40KB

Download
memory/2028-138-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2028-139-0x0000000005040000-0x0000000005050000-memory.dmp

Filesize
64KB

Download
memory/2028-140-0x00000000080C0000-0x000000000815C000-memory.dmp

Filesize
624KB

Download
memory/3212-163-0x0000000008D00000-0x0000000008E54000-memory.dmp

Filesize
1.3MB

Download
memory/3212-162-0x0000000008D00000-0x0000000008E54000-memory.dmp

Filesize
1.3MB

Download
memory/3212-160-0x0000000008D00000-0x0000000008E54000-memory.dmp

Filesize
1.3MB

Download
memory/3212-150-0x0000000008AA0000-0x0000000008C47000-memory.dmp

Filesize
1.7MB

Download
memory/3212-147-0x00000000081C0000-0x00000000082DD000-memory.dmp

Filesize
1.1MB

Download
memory/4544-149-0x0000000001020000-0x0000000001035000-memory.dmp

Filesize
84KB

Download
memory/4544-146-0x0000000000FC0000-0x0000000000FD5000-memory.dmp

Filesize
84KB

Download
memory/4544-152-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-145-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4544-143-0x0000000001060000-0x00000000013AA000-memory.dmp

Filesize
3.3MB

Download
memory/4544-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4840-153-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

Filesize
24KB

Download
memory/4840-151-0x0000000000DE0000-0x0000000000DE6000-memory.dmp

Filesize
24KB

Download
memory/4840-154-0x0000000000F70000-0x0000000000F9F000-memory.dmp

Filesize
188KB

Download
memory/4840-155-0x0000000003040000-0x000000000338A000-memory.dmp

Filesize
3.3MB

Download
memory/4840-158-0x0000000000F70000-0x0000000000F9F000-memory.dmp

Filesize
188KB

Download
memory/4840-159-0x0000000002E80000-0x0000000002F14000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads