formbook | e4b8b19c8c8fd39ae06ba2ec632970e7fe16f78ca1f91582461de5da1403a4ed

General

Target

tmp.exe
Size

748KB
MD5

b5027bab17fb5aa21f00bf3ba4528661
SHA1

b355cce034c4c385e7ee27c979a7e10877e3543b
SHA256

e4b8b19c8c8fd39ae06ba2ec632970e7fe16f78ca1f91582461de5da1403a4ed
SHA512

f5bf202f0d4d85278d0fb68489cb5f9e322637d59cb29aa513151507a8131b92f1cc7237c1e134efdf165f1edf267dbd1fd5508afa3f97b83e7b85c0e9bb26b7
SSDEEP

12288:LsokiF9BChPxxI4VTzCHp8z2ko1bnSSGM8WMupmLwiAdT6/F:QokiZChP8Uzwp8z2BF/AWAwdT6/

Score

10^/10

formbook oy30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2976-67-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2976-71-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2976-75-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2696-83-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook
behavioral1/memory/2696-85-0x00000000000D0000-0x00000000000FF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2640	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2668 set thread context of 2976	2668	tmp.exe	30
PID 2976 set thread context of 1292	2976	tmp.exe	21
PID 2976 set thread context of 1292	2976	tmp.exe	21
PID 2696 set thread context of 1292	2696	msiexec.exe	21

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2976	tmp.exe
2976	tmp.exe
2976	tmp.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe
2696	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1292	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2976	tmp.exe
2976	tmp.exe
2976	tmp.exe
2976	tmp.exe
2696	msiexec.exe
2696	msiexec.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2976	tmp.exe
Token: SeDebugPrivilege	2696	msiexec.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 2668 wrote to memory of 2976	2668	tmp.exe	30
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 1292 wrote to memory of 2696	1292	Explorer.EXE	31
PID 2696 wrote to memory of 2640	2696	msiexec.exe	32
PID 2696 wrote to memory of 2640	2696	msiexec.exe	32
PID 2696 wrote to memory of 2640	2696	msiexec.exe	32
PID 2696 wrote to memory of 2640	2696	msiexec.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2668
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2976
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Deletes itself
    PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1292-93-0x0000000004260000-0x000000000431D000-memory.dmp

Filesize
756KB

Download
memory/1292-73-0x0000000006B60000-0x0000000006CB1000-memory.dmp

Filesize
1.3MB

Download
memory/1292-79-0x0000000006B60000-0x0000000006CB1000-memory.dmp

Filesize
1.3MB

Download
memory/1292-86-0x0000000006CC0000-0x0000000006E0E000-memory.dmp

Filesize
1.3MB

Download
memory/1292-77-0x0000000006CC0000-0x0000000006E0E000-memory.dmp

Filesize
1.3MB

Download
memory/1292-89-0x0000000002B80000-0x0000000002C80000-memory.dmp

Filesize
1024KB

Download
memory/1292-90-0x0000000004260000-0x000000000431D000-memory.dmp

Filesize
756KB

Download
memory/1292-91-0x0000000004260000-0x000000000431D000-memory.dmp

Filesize
756KB

Download
memory/2668-57-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-60-0x0000000005CC0000-0x0000000005D48000-memory.dmp

Filesize
544KB

Download
memory/2668-59-0x0000000000920000-0x000000000092E000-memory.dmp

Filesize
56KB

Download
memory/2668-58-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2668-68-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2668-56-0x00000000040C0000-0x00000000040D6000-memory.dmp

Filesize
88KB

Download
memory/2668-53-0x0000000000980000-0x0000000000A42000-memory.dmp

Filesize
776KB

Download
memory/2668-55-0x00000000041F0000-0x0000000004230000-memory.dmp

Filesize
256KB

Download
memory/2668-54-0x0000000074910000-0x0000000074FFE000-memory.dmp

Filesize
6.9MB

Download
memory/2696-83-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/2696-84-0x00000000022F0000-0x00000000025F3000-memory.dmp

Filesize
3.0MB

Download
memory/2696-88-0x0000000000C50000-0x0000000000CE4000-memory.dmp

Filesize
592KB

Download
memory/2696-78-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/2696-85-0x00000000000D0000-0x00000000000FF000-memory.dmp

Filesize
188KB

Download
memory/2696-80-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/2696-82-0x00000000007B0000-0x00000000007C4000-memory.dmp

Filesize
80KB

Download
memory/2976-71-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-75-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-72-0x0000000000180000-0x0000000000195000-memory.dmp

Filesize
84KB

Download
memory/2976-69-0x0000000000BE0000-0x0000000000EE3000-memory.dmp

Filesize
3.0MB

Download
memory/2976-76-0x00000000001D0000-0x00000000001E5000-memory.dmp

Filesize
84KB

Download
memory/2976-67-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2976-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2976-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing