formbook | ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4

General

Target

Quotation.exe
Size

899KB
MD5

91bc4999ed5740509f8eceeed0638400
SHA1

f954bd1bd2250d4eb9249f3d9ca5a464b55ee44c
SHA256

ddd9ead73e818770fe8bc81da65f863e2ed6d20a6a32c60817d3edc8c4aa38d4
SHA512

457cf49c4714fb7cb47539b953fffba9168feea9b3fdaa14f59775e7a119d717fbd806b09736df870b295ce894049f0909626e6d968a61426a6df614a5d606d8
SSDEEP

12288:0N8Ne5oHOEQeeZwHyLop6bZFJdj3Kk24ppQRNvSmr5:0CzMwHp6lkk7ppmJj

Score

10^/10

formbook cs94 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cs94

Decoy

dhaliwal3.com

iptvebay.shop

hsfgass33.top

cammali.com

dcleaningseevicesltd.co.uk

amzosecsn-jp.icu

builtmedia.co.uk

duoguang.top

forumken.net

cqivrh.cfd

lr-nexusark.com

carrirae.shop

jtownexclusive.africa

georoiddemo.online

lefinet.com

otc.rsvp

kitchenpharmacy.co.uk

bbywafz248xca4.com

digijockey.com

9-ji.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/1108-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1108-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/580-73-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook
behavioral1/memory/580-75-0x0000000000090000-0x00000000000BF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
1884	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1744 set thread context of 1108	1744	Quotation.exe	28
PID 1108 set thread context of 1292	1108	Quotation.exe	15
PID 580 set thread context of 1292	580	rundll32.exe	15

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
1108	Quotation.exe
1108	Quotation.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe
580	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1108	Quotation.exe
1108	Quotation.exe
1108	Quotation.exe
580	rundll32.exe
580	rundll32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1108	Quotation.exe
Token: SeDebugPrivilege	580	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1744 wrote to memory of 1108	1744	Quotation.exe	28
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 1292 wrote to memory of 580	1292	Explorer.EXE	29
PID 580 wrote to memory of 1884	580	rundll32.exe	30
PID 580 wrote to memory of 1884	580	rundll32.exe	30
PID 580 wrote to memory of 1884	580	rundll32.exe	30
PID 580 wrote to memory of 1884	580	rundll32.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\Quotation.exe
  "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1744
- - C:\Users\Admin\AppData\Local\Temp\Quotation.exe
    "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1108
- C:\Windows\SysWOW64\rundll32.exe
  "C:\Windows\SysWOW64\rundll32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:580
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Quotation.exe"
    3⤵
    - Deletes itself
    PID:1884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-69-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/580-77-0x0000000001F60000-0x0000000001FF3000-memory.dmp

Filesize
588KB

Download
memory/580-75-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/580-74-0x00000000020F0000-0x00000000023F3000-memory.dmp

Filesize
3.0MB

Download
memory/580-73-0x0000000000090000-0x00000000000BF000-memory.dmp

Filesize
188KB

Download
memory/580-72-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/580-70-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/1108-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-65-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1108-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1108-67-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/1108-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1108-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1292-78-0x00000000049C0000-0x0000000004A72000-memory.dmp

Filesize
712KB

Download
memory/1292-68-0x0000000006AC0000-0x0000000006BF3000-memory.dmp

Filesize
1.2MB

Download
memory/1292-81-0x00000000049C0000-0x0000000004A72000-memory.dmp

Filesize
712KB

Download
memory/1292-79-0x00000000049C0000-0x0000000004A72000-memory.dmp

Filesize
712KB

Download
memory/1744-59-0x0000000005610000-0x000000000567E000-memory.dmp

Filesize
440KB

Download
memory/1744-56-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1744-55-0x00000000048F0000-0x0000000004930000-memory.dmp

Filesize
256KB

Download
memory/1744-57-0x00000000048F0000-0x0000000004930000-memory.dmp

Filesize
256KB

Download
memory/1744-58-0x0000000000440000-0x000000000044C000-memory.dmp

Filesize
48KB

Download
memory/1744-54-0x0000000000F60000-0x0000000001048000-memory.dmp

Filesize
928KB

Download

Analysis

Sharing