formbook | 7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde

General

Target

Sipariş formu 07.14.exe
Size

263KB
MD5

719c522aec409b51c6868a77f80b6fa8
SHA1

416357c9f7ecc7e9a6e70e3703075f53846f176f
SHA256

7bf47a92fadd875caa70db94a8ef153f7e63296357619e23a27b2d4e0a6a2bde
SHA512

3bd2455092e7ed61838737f68c83e7f4e555dcd92a0a975eb4acff6dd9a08f3986d48afe82d563d8c3db0d1068801b370ad20b3ed517547ed74845a2f1249046
SSDEEP

6144:vYa6ZSSel/J61D4l7EMPHf6G+MDtSSfS606DHTtw7mkNlVxv4ODw:vYrvoJg6diG+MDG60OHTtw7mkZxvu

Score

10^/10

formbook b0y4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b0y4

Decoy

cayocabana.com

handbholidaylighting.com

bombastickmast.com

engageandexceltutoring.com

acdaiucdac.com

alfahifurniture.com

ageingxx.com

app-fintoch.com

quintanaatverde.com

theimperfectangel.com

usvisa-infu.com

774495.com

betjogue.com

jil-fashion.com

luxury-developments.com

tonestarconsulting.com

betonlineaustralia.com

oldglorywineandwhiskey.com

pemimmobiliare.com

carefourexpress.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2188-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2188-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/776-73-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/776-75-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2016	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
1664	Sipariş formu 07.14.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1664 set thread context of 2188	1664	Sipariş formu 07.14.exe	28
PID 2188 set thread context of 1212	2188	Sipariş formu 07.14.exe	22
PID 776 set thread context of 1212	776	cmmon32.exe	22

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2188	Sipariş formu 07.14.exe
2188	Sipariş formu 07.14.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe
776	cmmon32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1212	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
1664	Sipariş formu 07.14.exe
2188	Sipariş formu 07.14.exe
2188	Sipariş formu 07.14.exe
2188	Sipariş formu 07.14.exe
776	cmmon32.exe
776	cmmon32.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	Sipariş formu 07.14.exe
Token: SeDebugPrivilege	776	cmmon32.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1664 wrote to memory of 2188	1664	Sipariş formu 07.14.exe	28
PID 1664 wrote to memory of 2188	1664	Sipariş formu 07.14.exe	28
PID 1664 wrote to memory of 2188	1664	Sipariş formu 07.14.exe	28
PID 1664 wrote to memory of 2188	1664	Sipariş formu 07.14.exe	28
PID 1664 wrote to memory of 2188	1664	Sipariş formu 07.14.exe	28
PID 1212 wrote to memory of 776	1212	Explorer.EXE	29
PID 1212 wrote to memory of 776	1212	Explorer.EXE	29
PID 1212 wrote to memory of 776	1212	Explorer.EXE	29
PID 1212 wrote to memory of 776	1212	Explorer.EXE	29
PID 776 wrote to memory of 2016	776	cmmon32.exe	30
PID 776 wrote to memory of 2016	776	cmmon32.exe	30
PID 776 wrote to memory of 2016	776	cmmon32.exe	30
PID 776 wrote to memory of 2016	776	cmmon32.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe
  "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1664
- - C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe
    "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2188
- C:\Windows\SysWOW64\cmmon32.exe
  "C:\Windows\SysWOW64\cmmon32.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:776
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\Sipariş formu 07.14.exe"
    3⤵
    - Deletes itself
    PID:2016

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nsjB50F.tmp\runakr.dll

Filesize
62KB

MD5
125ee622e7609b69342418d308d58d5f

SHA1
1260b84e326769819d38ea1c082e9f474ead439e

SHA256
4bd5eb814b8be6ec702ff73b01056c315e1426172da219f2578884aec52e81f1

SHA512
4636e9f4c869e5e147a2f8d45b9d814bc58df16784d5d062e9455b714cd73440c011c33ebdbcc35cdee54ee48424d963fa50849c0124c6d6519c804952b7ac4e

Download Submit
memory/776-78-0x0000000001C70000-0x0000000001D03000-memory.dmp

Filesize
588KB

Download
memory/776-75-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/776-74-0x0000000001F40000-0x0000000002243000-memory.dmp

Filesize
3.0MB

Download
memory/776-73-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/776-72-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/776-70-0x00000000003D0000-0x00000000003DD000-memory.dmp

Filesize
52KB

Download
memory/1212-68-0x0000000006C90000-0x0000000006E18000-memory.dmp

Filesize
1.5MB

Download
memory/1212-67-0x0000000002CC0000-0x0000000002DC0000-memory.dmp

Filesize
1024KB

Download
memory/1212-76-0x0000000006C90000-0x0000000006E18000-memory.dmp

Filesize
1.5MB

Download
memory/1212-80-0x0000000004D60000-0x0000000004E15000-memory.dmp

Filesize
724KB

Download
memory/1212-81-0x0000000004D60000-0x0000000004E15000-memory.dmp

Filesize
724KB

Download
memory/1212-83-0x0000000004D60000-0x0000000004E15000-memory.dmp

Filesize
724KB

Download
memory/1664-62-0x00000000743B0000-0x00000000743C3000-memory.dmp

Filesize
76KB

Download
memory/1664-60-0x00000000743B0000-0x00000000743C3000-memory.dmp

Filesize
76KB

Download
memory/2188-66-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/2188-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2188-63-0x00000000008E0000-0x0000000000BE3000-memory.dmp

Filesize
3.0MB

Download
memory/2188-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing