formbook | 61894dd6d947ab1237c08e4f020e6462fdc7a96903c7cf27523d4e21304c1612

General

Target

SWIFT Transfer (103) 022FT10230717045.exe
Size

752KB
MD5

dd4f4d6dc2c71e6ad5a6b0abf45f8d5e
SHA1

e90bf49def5509412e3c1f10f959c7a8ce121e9a
SHA256

61894dd6d947ab1237c08e4f020e6462fdc7a96903c7cf27523d4e21304c1612
SHA512

aa46b3c2542b2df05bc0a3bf3e15f34c80673090ba97c1b9ab8f86fb8827e3e45ad9adf9dfbefe7aa48a1d35c4dab2ef2c11c3748ec880ec40c2cbbc453e8d39
SSDEEP

12288:Mf+vUyubcW9Roj0fb/WT4UkuZKXP0s95N3KO6GUPy1h8F0XgbeOTRqymNBoIlz1g:MG8VbcW9Roj0fzW/ZacsB16NP8+7UycC

Score

10^/10

formbook sn26 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sn26

Decoy

resenha10.bet

gulshan-rajput.com

xbus.tech

z813my.cfd

wlxzjlny.cfd

auntengotiempo.com

canada-reservation.com

thegiftcompany.shop

esthersilveirapropiedades.com

1wapws.top

ymjblnvo.cfd

termokimik.net

kushiro-artist-school.com

bmmboo.com

caceresconstructionservices.com

kentuckywalkabout.com

bringyourcart.com

miamiwinetour.com

bobcatsocial.site

thirdmind.network

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/736-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/736-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2064-152-0x0000000000D00000-0x0000000000D2F000-memory.dmp	formbook
behavioral2/memory/2064-154-0x0000000000D00000-0x0000000000D2F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4952 set thread context of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 736 set thread context of 3092	736	SWIFT Transfer (103) 022FT10230717045.exe	51
PID 2064 set thread context of 3092	2064	systray.exe	51

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1722984668-1829624581-3022101259-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4952	SWIFT Transfer (103) 022FT10230717045.exe
4952	SWIFT Transfer (103) 022FT10230717045.exe
736	SWIFT Transfer (103) 022FT10230717045.exe
736	SWIFT Transfer (103) 022FT10230717045.exe
736	SWIFT Transfer (103) 022FT10230717045.exe
736	SWIFT Transfer (103) 022FT10230717045.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe
2064	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3092	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
736	SWIFT Transfer (103) 022FT10230717045.exe
736	SWIFT Transfer (103) 022FT10230717045.exe
736	SWIFT Transfer (103) 022FT10230717045.exe
2064	systray.exe
2064	systray.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	4952	SWIFT Transfer (103) 022FT10230717045.exe
Token: SeDebugPrivilege	736	SWIFT Transfer (103) 022FT10230717045.exe
Token: SeDebugPrivilege	2064	systray.exe
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE
Token: SeShutdownPrivilege	3092	Explorer.EXE
Token: SeCreatePagefilePrivilege	3092	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3092	Explorer.EXE
3092	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3092	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4952 wrote to memory of 2432	4952	SWIFT Transfer (103) 022FT10230717045.exe	95
PID 4952 wrote to memory of 2432	4952	SWIFT Transfer (103) 022FT10230717045.exe	95
PID 4952 wrote to memory of 2432	4952	SWIFT Transfer (103) 022FT10230717045.exe	95
PID 4952 wrote to memory of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 4952 wrote to memory of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 4952 wrote to memory of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 4952 wrote to memory of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 4952 wrote to memory of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 4952 wrote to memory of 736	4952	SWIFT Transfer (103) 022FT10230717045.exe	96
PID 3092 wrote to memory of 2064	3092	Explorer.EXE	97
PID 3092 wrote to memory of 2064	3092	Explorer.EXE	97
PID 3092 wrote to memory of 2064	3092	Explorer.EXE	97
PID 2064 wrote to memory of 2812	2064	systray.exe	98
PID 2064 wrote to memory of 2812	2064	systray.exe	98
PID 2064 wrote to memory of 2812	2064	systray.exe	98

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe
  "C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4952
- - C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe"
    3⤵
    PID:2432
- - C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe
    "C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:736
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\SWIFT Transfer (103) 022FT10230717045.exe"
    3⤵
    PID:2812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-148-0x0000000001300000-0x0000000001315000-memory.dmp

Filesize
84KB

Download
memory/736-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/736-145-0x00000000017F0000-0x0000000001B3A000-memory.dmp

Filesize
3.3MB

Download
memory/2064-153-0x0000000002C00000-0x0000000002F4A000-memory.dmp

Filesize
3.3MB

Download
memory/2064-157-0x0000000002B00000-0x0000000002B94000-memory.dmp

Filesize
592KB

Download
memory/2064-154-0x0000000000D00000-0x0000000000D2F000-memory.dmp

Filesize
188KB

Download
memory/2064-152-0x0000000000D00000-0x0000000000D2F000-memory.dmp

Filesize
188KB

Download
memory/2064-151-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/2064-150-0x0000000000610000-0x0000000000616000-memory.dmp

Filesize
24KB

Download
memory/3092-149-0x0000000008900000-0x00000000089D8000-memory.dmp

Filesize
864KB

Download
memory/3092-159-0x00000000089E0000-0x0000000008AFD000-memory.dmp

Filesize
1.1MB

Download
memory/3092-158-0x00000000089E0000-0x0000000008AFD000-memory.dmp

Filesize
1.1MB

Download
memory/3092-155-0x0000000008900000-0x00000000089D8000-memory.dmp

Filesize
864KB

Download
memory/4952-137-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/4952-134-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-135-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/4952-136-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/4952-133-0x0000000000EF0000-0x0000000000FB2000-memory.dmp

Filesize
776KB

Download
memory/4952-144-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/4952-138-0x0000000005B70000-0x0000000005B7A000-memory.dmp

Filesize
40KB

Download
memory/4952-141-0x0000000009820000-0x00000000098BC000-memory.dmp

Filesize
624KB

Download
memory/4952-140-0x0000000005990000-0x00000000059A0000-memory.dmp

Filesize
64KB

Download
memory/4952-139-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing