formbook | d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c

General

Target

THREE quotations.exe
Size

766KB
MD5

ae2f78ed3b32a4e7f969ce267778ac66
SHA1

3b7c6425c65933d6b5dac6187e16a0597f3ea5aa
SHA256

d5e9981b7fdef80983edcdda6b3e09870fe991720db4684986ceecb01d24506c
SHA512

f21cf08412c3c53248e7535aa37430f314a6d8e900cc14e908bab730d1c1db555bb8875c9acca9940b1cb5ef6a7d1fdd58ee6abd9b6fe91bd4722d6037e5630e
SSDEEP

12288:0uJas/16/YHmM9mARLAV+/3M73epjTDrFljb3m0z9SFOuDsDtnQkCEgYDjz:0Bs6cV9mA9Im873epjyOxDtQXEnDf

Score

10^/10

formbook ct45 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct45

Decoy

aeepi.com

lifestyledoneright.com

dilojakac.cfd

vievnsfabula.xyz

jiggirirecords.com

sklaap.xyz

prepper.day

tahta4d-vip.info

p94d3.xyz

17819.vip

gptvoucher.com

ig2x0m.com

croppdtt.com

hnnhiuqme6e701.xyz

zeis.xyz

w77773.com

inspantringa.cfd

webnative.xyz

haahhuzns1okd1.xyz

thinkingmansguidetowomen.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3528-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3528-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3888-150-0x0000000000490000-0x00000000004BF000-memory.dmp	formbook
behavioral2/memory/3888-152-0x0000000000490000-0x00000000004BF000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 3528	1624	THREE quotations.exe	89
PID 3528 set thread context of 2680	3528	vbc.exe	55
PID 3888 set thread context of 2680	3888	explorer.exe	55

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
3528	vbc.exe
3528	vbc.exe
3528	vbc.exe
3528	vbc.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe
3888	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3528	vbc.exe
3528	vbc.exe
3528	vbc.exe
3888	explorer.exe
3888	explorer.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3528	vbc.exe
Token: SeDebugPrivilege	3888	explorer.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 3528	1624	THREE quotations.exe	89
PID 1624 wrote to memory of 3528	1624	THREE quotations.exe	89
PID 1624 wrote to memory of 3528	1624	THREE quotations.exe	89
PID 1624 wrote to memory of 3528	1624	THREE quotations.exe	89
PID 1624 wrote to memory of 3528	1624	THREE quotations.exe	89
PID 1624 wrote to memory of 3528	1624	THREE quotations.exe	89
PID 2680 wrote to memory of 3888	2680	Explorer.EXE	90
PID 2680 wrote to memory of 3888	2680	Explorer.EXE	90
PID 2680 wrote to memory of 3888	2680	Explorer.EXE	90
PID 3888 wrote to memory of 4712	3888	explorer.exe	91
PID 3888 wrote to memory of 4712	3888	explorer.exe	91
PID 3888 wrote to memory of 4712	3888	explorer.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2680
- C:\Users\Admin\AppData\Local\Temp\THREE quotations.exe
  "C:\Users\Admin\AppData\Local\Temp\THREE quotations.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3528
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\SysWOW64\explorer.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3888
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
    3⤵
    PID:4712

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-134-0x0000000005C30000-0x00000000061D4000-memory.dmp

Filesize
5.6MB

Download
memory/1624-135-0x0000000005720000-0x00000000057B2000-memory.dmp

Filesize
584KB

Download
memory/1624-136-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/1624-137-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/1624-138-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/1624-139-0x00000000076C0000-0x000000000775C000-memory.dmp

Filesize
624KB

Download
memory/1624-133-0x0000000000C40000-0x0000000000D06000-memory.dmp

Filesize
792KB

Download
memory/2680-146-0x0000000002B50000-0x0000000002C4A000-memory.dmp

Filesize
1000KB

Download
memory/2680-158-0x0000000008930000-0x0000000008A67000-memory.dmp

Filesize
1.2MB

Download
memory/2680-156-0x0000000008930000-0x0000000008A67000-memory.dmp

Filesize
1.2MB

Download
memory/2680-155-0x0000000008930000-0x0000000008A67000-memory.dmp

Filesize
1.2MB

Download
memory/3528-145-0x0000000001670000-0x0000000001684000-memory.dmp

Filesize
80KB

Download
memory/3528-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3528-143-0x0000000001B30000-0x0000000001E7A000-memory.dmp

Filesize
3.3MB

Download
memory/3528-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3888-147-0x00000000005C0000-0x00000000009F3000-memory.dmp

Filesize
4.2MB

Download
memory/3888-149-0x00000000005C0000-0x00000000009F3000-memory.dmp

Filesize
4.2MB

Download
memory/3888-150-0x0000000000490000-0x00000000004BF000-memory.dmp

Filesize
188KB

Download
memory/3888-151-0x0000000002950000-0x0000000002C9A000-memory.dmp

Filesize
3.3MB

Download
memory/3888-152-0x0000000000490000-0x00000000004BF000-memory.dmp

Filesize
188KB

Download
memory/3888-154-0x0000000002CA0000-0x0000000002D33000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing