formbook | 6d50601e8d4511ec20311b70ae15730af45a5d2bc9275ed8c102ebba9332937a

General

Target

4.exe
Size

718KB
MD5

707a20ef6a4ecee999425ed06eb6ffdf
SHA1

87369729f482701c499ea4e3b1efd37a1bccaa62
SHA256

6d50601e8d4511ec20311b70ae15730af45a5d2bc9275ed8c102ebba9332937a
SHA512

657778b88546d69b0df6018c44d6b21359ad95f7813eccd3a0b51aeadd696ccc5ae7021855ff7bf5c81ececdbe28b3b338c902217a81283399365a99654ee381
SSDEEP

12288:DvV+s1bSQT6tjjdB4Jobube9QUjR853Zs2pAPv2sR01PU8DRbW0z/L0+jqeL:Dt3cube9xRsC262U4sYD0+HL

Score

10^/10

formbook an94 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

an94

Decoy

thehouseofdiversity.uk

ftxalamedascam.com

avtohisa.com

elywardrobe.com

leapnt.com

cheryljgreen.xyz

villapep.co.uk

prix.app

spbglobal.net

976768.com

xinxin159.com

grmchardygates.co.uk

caressentialz.co.uk

anraokm.top

btagger.ru

eaimmigration.com

tdassassin.app

minigardeners.co.uk

levictoriaclub.com

yedid.africa

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/1028-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1028-69-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1028-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/572-75-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/572-77-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1488	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 1028	1208	4.exe	28
PID 1028 set thread context of 1312	1028	4.exe	16
PID 1028 set thread context of 1312	1028	4.exe	16
PID 572 set thread context of 1312	572	cscript.exe	16

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1028	4.exe
1028	4.exe
1028	4.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe
572	cscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1312	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1028	4.exe
1028	4.exe
1028	4.exe
1028	4.exe
572	cscript.exe
572	cscript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	4.exe
Token: SeDebugPrivilege	572	cscript.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1312	Explorer.EXE
1312	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1208 wrote to memory of 1028	1208	4.exe	28
PID 1312 wrote to memory of 572	1312	Explorer.EXE	29
PID 1312 wrote to memory of 572	1312	Explorer.EXE	29
PID 1312 wrote to memory of 572	1312	Explorer.EXE	29
PID 1312 wrote to memory of 572	1312	Explorer.EXE	29
PID 572 wrote to memory of 1488	572	cscript.exe	30
PID 572 wrote to memory of 1488	572	cscript.exe	30
PID 572 wrote to memory of 1488	572	cscript.exe	30
PID 572 wrote to memory of 1488	572	cscript.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\4.exe
  "C:\Users\Admin\AppData\Local\Temp\4.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1208
- - C:\Users\Admin\AppData\Local\Temp\4.exe
    "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1028
- C:\Windows\SysWOW64\cscript.exe
  "C:\Windows\SysWOW64\cscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:572
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\4.exe"
    3⤵
    - Deletes itself
    PID:1488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/572-73-0x00000000008A0000-0x00000000008C2000-memory.dmp

Filesize
136KB

Download
memory/572-79-0x00000000005E0000-0x0000000000673000-memory.dmp

Filesize
588KB

Download
memory/572-77-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/572-76-0x0000000002180000-0x0000000002483000-memory.dmp

Filesize
3.0MB

Download
memory/572-75-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/572-74-0x00000000008A0000-0x00000000008C2000-memory.dmp

Filesize
136KB

Download
memory/1028-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-70-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/1028-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1028-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-66-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1028-67-0x0000000000190000-0x00000000001A4000-memory.dmp

Filesize
80KB

Download
memory/1028-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1028-69-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1208-60-0x00000000007E0000-0x000000000081E000-memory.dmp

Filesize
248KB

Download
memory/1208-54-0x0000000001010000-0x00000000010CA000-memory.dmp

Filesize
744KB

Download
memory/1208-59-0x00000000049A0000-0x0000000004A16000-memory.dmp

Filesize
472KB

Download
memory/1208-58-0x0000000000500000-0x000000000050A000-memory.dmp

Filesize
40KB

Download
memory/1208-57-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1208-56-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/1208-55-0x0000000004960000-0x00000000049A0000-memory.dmp

Filesize
256KB

Download
memory/1312-71-0x0000000006210000-0x0000000006350000-memory.dmp

Filesize
1.2MB

Download
memory/1312-68-0x0000000007400000-0x00000000075A1000-memory.dmp

Filesize
1.6MB

Download
memory/1312-80-0x0000000005E40000-0x0000000005F1C000-memory.dmp

Filesize
880KB

Download
memory/1312-81-0x0000000005E40000-0x0000000005F1C000-memory.dmp

Filesize
880KB

Download
memory/1312-84-0x0000000005E40000-0x0000000005F1C000-memory.dmp

Filesize
880KB

Download

Analysis

Sharing