formbook | 091305d3595b7324e7fb674b6120cdb142a6196e796f890fd625e76a014211e8

General

Target

QUOTE REQUEST 047855273660.exe
Size

725KB
MD5

065cf92b7519116b3cbb416e7d31dfba
SHA1

706b218470e606e34d6605b6ed776f67c35efc94
SHA256

091305d3595b7324e7fb674b6120cdb142a6196e796f890fd625e76a014211e8
SHA512

588e33825a813d9ed577e76c8926246633886b6f653f5ddc6f515c16fffbf5438018ba71eb720251d3d53bde1a780acdeb3723148ee6b8604cc168375b451f37
SSDEEP

6144:/Jepo8KR2VeL6CIVNcCCBxvIM+PBJUWaYh08H+xxPC8ZhG1xVaqklq5LTyrHsVfm:amZQVtY9GA/4QWM723tlC1tRX0po/9D

Score

10^/10

formbook jy95 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy95

Decoy

do-si-dough.com

cchapmanganato.com

04it.icu

kawebdesign.site

oasisconnects.com

op091.com

psychicstandupcomedy.com

harveylee.online

x55568.com

orbinlopez.one

45745931.buzz

undiereleaseco.com

cludybot.net

sailtmtbar.com

siennashih.com

premintxyz.net

xn--bj4bt9j.com

giornalaiditalia.com

colorfullemonade.com

baddiebearz.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2108-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2108-66-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2936-71-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2936-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2052	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2224 set thread context of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2108 set thread context of 1212	2108	QUOTE REQUEST 047855273660.exe	12
PID 2936 set thread context of 1212	2936	svchost.exe	12

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2108	QUOTE REQUEST 047855273660.exe
2108	QUOTE REQUEST 047855273660.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe
2936	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2108	QUOTE REQUEST 047855273660.exe
2108	QUOTE REQUEST 047855273660.exe
2108	QUOTE REQUEST 047855273660.exe
2936	svchost.exe
2936	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	QUOTE REQUEST 047855273660.exe
Token: SeDebugPrivilege	2936	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 2224 wrote to memory of 2108	2224	QUOTE REQUEST 047855273660.exe	29
PID 1212 wrote to memory of 2936	1212	Explorer.EXE	30
PID 1212 wrote to memory of 2936	1212	Explorer.EXE	30
PID 1212 wrote to memory of 2936	1212	Explorer.EXE	30
PID 1212 wrote to memory of 2936	1212	Explorer.EXE	30
PID 2936 wrote to memory of 2052	2936	svchost.exe	31
PID 2936 wrote to memory of 2052	2936	svchost.exe	31
PID 2936 wrote to memory of 2052	2936	svchost.exe	31
PID 2936 wrote to memory of 2052	2936	svchost.exe	31

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST 047855273660.exe
  "C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST 047855273660.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST 047855273660.exe
    "C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST 047855273660.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2108
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\QUOTE REQUEST 047855273660.exe"
    3⤵
    - Deletes itself
    PID:2052

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-68-0x0000000008AE0000-0x0000000008C4E000-memory.dmp

Filesize
1.4MB

Download
memory/1212-82-0x000007FEEC2E0000-0x000007FEEC2EA000-memory.dmp

Filesize
40KB

Download
memory/1212-80-0x0000000009620000-0x000000000975D000-memory.dmp

Filesize
1.2MB

Download
memory/1212-78-0x0000000009620000-0x000000000975D000-memory.dmp

Filesize
1.2MB

Download
memory/1212-77-0x0000000009620000-0x000000000975D000-memory.dmp

Filesize
1.2MB

Download
memory/1212-75-0x0000000003C50000-0x0000000003E50000-memory.dmp

Filesize
2.0MB

Download
memory/2108-67-0x0000000000180000-0x0000000000194000-memory.dmp

Filesize
80KB

Download
memory/2108-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2108-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-65-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/2108-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2108-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-59-0x00000000050F0000-0x000000000515E000-memory.dmp

Filesize
440KB

Download
memory/2224-54-0x0000000000FA0000-0x000000000105C000-memory.dmp

Filesize
752KB

Download
memory/2224-58-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2224-57-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2224-56-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2224-55-0x0000000004A20000-0x0000000004A60000-memory.dmp

Filesize
256KB

Download
memory/2936-70-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2936-69-0x0000000000440000-0x0000000000448000-memory.dmp

Filesize
32KB

Download
memory/2936-71-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2936-72-0x0000000000720000-0x0000000000A23000-memory.dmp

Filesize
3.0MB

Download
memory/2936-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2936-76-0x0000000000630000-0x00000000006C3000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing