formbook | 556c89d97bff251e5a6e5db0b9e7dc69f11752758538ecbba759c9347ae4b2a9

General

Target

DHL_AWB_907853880911.exe
Size

599KB
MD5

84783a2493baf6e8db916c57e81f90bc
SHA1

bb4360a60ae5d25d1d90790ee993de7a1a0f5ed2
SHA256

556c89d97bff251e5a6e5db0b9e7dc69f11752758538ecbba759c9347ae4b2a9
SHA512

52c971a43bdd8e5030a9f7472b4e510e700d7227f52d66fa3a1f907a1b1ea7cc6f6ffd3b3801f985a8d2f141c140ded2fcca12cb9c188875e463bd9d8b8a7c6f
SSDEEP

12288:MgniF9czTFlkDiVgWMLudJ9eJP2+LbxowdZWUMMytEAiV5:MgniUPFkiPXgJTbew3WUfyN+

Score

10^/10

formbook f1w6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

f1w6

Decoy

yourcomplexproject.com

ceoclubonline.com

omkararts.com

oldiefans.info

kalendrgptapp37.com

expetowing.com

531008.com

shguojibu.com

proartesmarciales.com

mlo564.xyz

canada-topsales.com

your-local-girls.info

hitroader.com

hoagiepalooza.site

wallstreetbull.online

pw786.vip

salamcleaning.com

carbon-cars.com

playacabarete.net

ifgfunds.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1416-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1416-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/736-152-0x0000000000A90000-0x0000000000ABF000-memory.dmp	formbook
behavioral2/memory/736-154-0x0000000000A90000-0x0000000000ABF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4480 set thread context of 1416	4480	DHL_AWB_907853880911.exe	89
PID 1416 set thread context of 3168	1416	DHL_AWB_907853880911.exe	44
PID 736 set thread context of 3168	736	systray.exe	44

Suspicious behavior: EnumeratesProcesses 48 IoCs

pid	Process
4480	DHL_AWB_907853880911.exe
4480	DHL_AWB_907853880911.exe
4480	DHL_AWB_907853880911.exe
4480	DHL_AWB_907853880911.exe
4480	DHL_AWB_907853880911.exe
4480	DHL_AWB_907853880911.exe
1416	DHL_AWB_907853880911.exe
1416	DHL_AWB_907853880911.exe
1416	DHL_AWB_907853880911.exe
1416	DHL_AWB_907853880911.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe
736	systray.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3168	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1416	DHL_AWB_907853880911.exe
1416	DHL_AWB_907853880911.exe
1416	DHL_AWB_907853880911.exe
736	systray.exe
736	systray.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4480	DHL_AWB_907853880911.exe
Token: SeDebugPrivilege	1416	DHL_AWB_907853880911.exe
Token: SeDebugPrivilege	736	systray.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 1416	4480	DHL_AWB_907853880911.exe	89
PID 4480 wrote to memory of 1416	4480	DHL_AWB_907853880911.exe	89
PID 4480 wrote to memory of 1416	4480	DHL_AWB_907853880911.exe	89
PID 4480 wrote to memory of 1416	4480	DHL_AWB_907853880911.exe	89
PID 4480 wrote to memory of 1416	4480	DHL_AWB_907853880911.exe	89
PID 4480 wrote to memory of 1416	4480	DHL_AWB_907853880911.exe	89
PID 3168 wrote to memory of 736	3168	Explorer.EXE	90
PID 3168 wrote to memory of 736	3168	Explorer.EXE	90
PID 3168 wrote to memory of 736	3168	Explorer.EXE	90
PID 736 wrote to memory of 4912	736	systray.exe	91
PID 736 wrote to memory of 4912	736	systray.exe	91
PID 736 wrote to memory of 4912	736	systray.exe	91

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Users\Admin\AppData\Local\Temp\DHL_AWB_907853880911.exe
  "C:\Users\Admin\AppData\Local\Temp\DHL_AWB_907853880911.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Users\Admin\AppData\Local\Temp\DHL_AWB_907853880911.exe
    "C:\Users\Admin\AppData\Local\Temp\DHL_AWB_907853880911.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:736
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\DHL_AWB_907853880911.exe"
    3⤵
    PID:4912

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/736-150-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/736-157-0x0000000002870000-0x0000000002904000-memory.dmp

Filesize
592KB

Download
memory/736-154-0x0000000000A90000-0x0000000000ABF000-memory.dmp

Filesize
188KB

Download
memory/736-153-0x0000000002A20000-0x0000000002D6A000-memory.dmp

Filesize
3.3MB

Download
memory/736-152-0x0000000000A90000-0x0000000000ABF000-memory.dmp

Filesize
188KB

Download
memory/736-151-0x0000000000B80000-0x0000000000B86000-memory.dmp

Filesize
24KB

Download
memory/1416-148-0x0000000001500000-0x0000000001515000-memory.dmp

Filesize
84KB

Download
memory/1416-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-145-0x0000000001590000-0x00000000018DA000-memory.dmp

Filesize
3.3MB

Download
memory/1416-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3168-155-0x0000000008120000-0x00000000081F5000-memory.dmp

Filesize
852KB

Download
memory/3168-161-0x0000000008990000-0x0000000008ADC000-memory.dmp

Filesize
1.3MB

Download
memory/3168-159-0x0000000008990000-0x0000000008ADC000-memory.dmp

Filesize
1.3MB

Download
memory/3168-158-0x0000000008990000-0x0000000008ADC000-memory.dmp

Filesize
1.3MB

Download
memory/3168-149-0x0000000008120000-0x00000000081F5000-memory.dmp

Filesize
852KB

Download
memory/4480-139-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-138-0x00000000056C0000-0x00000000056CA000-memory.dmp

Filesize
40KB

Download
memory/4480-137-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4480-136-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/4480-135-0x0000000005C50000-0x00000000061F4000-memory.dmp

Filesize
5.6MB

Download
memory/4480-140-0x0000000005660000-0x0000000005670000-memory.dmp

Filesize
64KB

Download
memory/4480-134-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-133-0x0000000000C70000-0x0000000000D0A000-memory.dmp

Filesize
616KB

Download
memory/4480-144-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/4480-141-0x000000000AD20000-0x000000000ADBC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing