formbook | 250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5

General

Target

COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Size

661KB
MD5

52884584e2bbbd4506596bf9cdebd4f1
SHA1

2d1a5c85486065bb8e947148ab2d0b22d87da8ef
SHA256

250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5
SHA512

f807fa5abb52d9acbda3fc4f680324526fb7f898f844503d8df57bfa24f5391b23ba4dcb1471cc233a88c1aefc4bd558201c698edfb8a1623faf741f7faadeeb
SSDEEP

12288:E2iN/tAqWV7ej9J7k5LXkW/qXo59YPHcnN/tqjg8ca:E1htAX0j9wkR8nN/Ejg8ca

Score

10^/10

formbook upa6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upa6

Decoy

farmaciadelverde.com

1whcfc.top

djameshomes.com

kylepauley.social

dawncharitabletrust.com

leverdurable.com

bluxban.online

oceansideglass.net

pcdcompusoft.com

dlunion.net

continuumadvisorypartners.com

tvlfood.com

pillblue.co.uk

1win-site-3.top

e32mbe.shop

mawelk.xyz

garage365.online

commonwealthbank.online

xw-04.com

smartcitiesrecruitment.co.uk

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/4924-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4924-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2284-149-0x0000000000830000-0x000000000085F000-memory.dmp	formbook
behavioral2/memory/2284-151-0x0000000000830000-0x000000000085F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4696 set thread context of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 4924 set thread context of 1264	4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	62
PID 2284 set thread context of 1264	2284	wscript.exe	62

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe
2284	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1264	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
2284	wscript.exe
2284	wscript.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Token: SeDebugPrivilege	4924	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
Token: SeDebugPrivilege	2284	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4696 wrote to memory of 3392	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	91
PID 4696 wrote to memory of 3392	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	91
PID 4696 wrote to memory of 3392	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	91
PID 4696 wrote to memory of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 4696 wrote to memory of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 4696 wrote to memory of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 4696 wrote to memory of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 4696 wrote to memory of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 4696 wrote to memory of 4924	4696	COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe	92
PID 1264 wrote to memory of 2284	1264	Explorer.EXE	95
PID 1264 wrote to memory of 2284	1264	Explorer.EXE	95
PID 1264 wrote to memory of 2284	1264	Explorer.EXE	95
PID 2284 wrote to memory of 2604	2284	wscript.exe	96
PID 2284 wrote to memory of 2604	2284	wscript.exe	96
PID 2284 wrote to memory of 2604	2284	wscript.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
  "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4696
- - C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
    3⤵
    PID:3392
- - C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe
    "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:4924
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:1132
- C:\Windows\SysWOW64\autofmt.exe
  "C:\Windows\SysWOW64\autofmt.exe"
  2⤵
  PID:2196
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\COMMERCAIL INVOICE AND DHL AWB TRACKING DETAILS.exe"
    3⤵
    PID:2604

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1264-145-0x00000000081C0000-0x000000000834C000-memory.dmp

Filesize
1.5MB

Download
memory/1264-157-0x0000000008570000-0x00000000086E6000-memory.dmp

Filesize
1.5MB

Download
memory/1264-155-0x0000000008570000-0x00000000086E6000-memory.dmp

Filesize
1.5MB

Download
memory/1264-154-0x0000000008570000-0x00000000086E6000-memory.dmp

Filesize
1.5MB

Download
memory/2284-150-0x00000000028E0000-0x0000000002C2A000-memory.dmp

Filesize
3.3MB

Download
memory/2284-153-0x00000000027D0000-0x0000000002863000-memory.dmp

Filesize
588KB

Download
memory/2284-151-0x0000000000830000-0x000000000085F000-memory.dmp

Filesize
188KB

Download
memory/2284-149-0x0000000000830000-0x000000000085F000-memory.dmp

Filesize
188KB

Download
memory/2284-148-0x0000000000B60000-0x0000000000B87000-memory.dmp

Filesize
156KB

Download
memory/2284-146-0x0000000000B60000-0x0000000000B87000-memory.dmp

Filesize
156KB

Download
memory/4696-137-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4696-133-0x0000000000040000-0x00000000000EC000-memory.dmp

Filesize
688KB

Download
memory/4696-139-0x0000000008100000-0x000000000819C000-memory.dmp

Filesize
624KB

Download
memory/4696-138-0x0000000004DD0000-0x0000000004DE0000-memory.dmp

Filesize
64KB

Download
memory/4696-136-0x0000000004A80000-0x0000000004A8A000-memory.dmp

Filesize
40KB

Download
memory/4696-135-0x0000000004B60000-0x0000000004BF2000-memory.dmp

Filesize
584KB

Download
memory/4696-134-0x0000000005070000-0x0000000005614000-memory.dmp

Filesize
5.6MB

Download
memory/4924-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4924-144-0x0000000001210000-0x0000000001224000-memory.dmp

Filesize
80KB

Download
memory/4924-142-0x0000000001320000-0x000000000166A000-memory.dmp

Filesize
3.3MB

Download
memory/4924-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing