formbook | 250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5

General

Target

COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Size

661KB
MD5

52884584e2bbbd4506596bf9cdebd4f1
SHA1

2d1a5c85486065bb8e947148ab2d0b22d87da8ef
SHA256

250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5
SHA512

f807fa5abb52d9acbda3fc4f680324526fb7f898f844503d8df57bfa24f5391b23ba4dcb1471cc233a88c1aefc4bd558201c698edfb8a1623faf741f7faadeeb
SSDEEP

12288:E2iN/tAqWV7ej9J7k5LXkW/qXo59YPHcnN/tqjg8ca:E1htAX0j9wkR8nN/Ejg8ca

Score

10^/10

formbook upa6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upa6

Decoy

farmaciadelverde.com

1whcfc.top

djameshomes.com

kylepauley.social

dawncharitabletrust.com

leverdurable.com

bluxban.online

oceansideglass.net

pcdcompusoft.com

dlunion.net

continuumadvisorypartners.com

tvlfood.com

pillblue.co.uk

1win-site-3.top

e32mbe.shop

mawelk.xyz

garage365.online

commonwealthbank.online

xw-04.com

smartcitiesrecruitment.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1192-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1192-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1168-72-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/1168-74-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

flow	pid	Process
13	1168	cmstp.exe

Deletes itself 1 IoCs

pid	Process
1512	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1568 set thread context of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1192 set thread context of 1272	1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	13
PID 1168 set thread context of 1272	1168	cmstp.exe	13

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe
1168	cmstp.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
1168	cmstp.exe
1168	cmstp.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1192	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Token: SeDebugPrivilege	1168	cmstp.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1568 wrote to memory of 1192	1568	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	28
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1272 wrote to memory of 1168	1272	Explorer.EXE	29
PID 1168 wrote to memory of 1512	1168	cmstp.exe	30
PID 1168 wrote to memory of 1512	1168	cmstp.exe	30
PID 1168 wrote to memory of 1512	1168	cmstp.exe	30
PID 1168 wrote to memory of 1512	1168	cmstp.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
  "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1568
- - C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1192
- C:\Windows\SysWOW64\cmstp.exe
  "C:\Windows\SysWOW64\cmstp.exe"
  2⤵
  - Blocklisted process makes network request
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
    3⤵
    - Deletes itself
    PID:1512

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-70-0x0000000000950000-0x0000000000968000-memory.dmp

Filesize
96KB

Download
memory/1168-76-0x0000000000830000-0x00000000008C3000-memory.dmp

Filesize
588KB

Download
memory/1168-74-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1168-73-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/1168-72-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/1168-71-0x0000000000950000-0x0000000000968000-memory.dmp

Filesize
96KB

Download
memory/1192-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1192-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1192-66-0x00000000009B0000-0x0000000000CB3000-memory.dmp

Filesize
3.0MB

Download
memory/1192-68-0x00000000002A0000-0x00000000002B4000-memory.dmp

Filesize
80KB

Download
memory/1192-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1272-77-0x00000000069C0000-0x0000000006ADE000-memory.dmp

Filesize
1.1MB

Download
memory/1272-80-0x00000000069C0000-0x0000000006ADE000-memory.dmp

Filesize
1.1MB

Download
memory/1272-69-0x0000000004E50000-0x0000000004FD4000-memory.dmp

Filesize
1.5MB

Download
memory/1272-78-0x00000000069C0000-0x0000000006ADE000-memory.dmp

Filesize
1.1MB

Download
memory/1568-60-0x0000000005C80000-0x0000000005CB8000-memory.dmp

Filesize
224KB

Download
memory/1568-57-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1568-56-0x0000000000820000-0x000000000082E000-memory.dmp

Filesize
56KB

Download
memory/1568-58-0x0000000000830000-0x000000000083A000-memory.dmp

Filesize
40KB

Download
memory/1568-55-0x0000000004BF0000-0x0000000004C30000-memory.dmp

Filesize
256KB

Download
memory/1568-59-0x0000000005EC0000-0x0000000005F30000-memory.dmp

Filesize
448KB

Download
memory/1568-54-0x0000000000900000-0x00000000009AC000-memory.dmp

Filesize
688KB

Download

Analysis

Sharing