formbook | f2f85fa1743b7a06367166912a274cacfff5f43fb59b358ef5913e3dd5d7a0a9

General

Target

scan.tt-pdf/vgwR4TopGfezKSf.exe
Size

587KB
MD5

28add1243c433986dbb73ef4e6763fa1
SHA1

eb5c172e07f5f8b7e30417ee8547a58b05996756
SHA256

73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d
SHA512

af35f5f3540b3110602222f917ea9fa76cf743573826d3e1a89472ed7623d88be97cd7c9f4c3d9c8b38d0ff7d2bed2c708809a1cda5de93990389e3bd6970542
SSDEEP

12288:3r4lrrr/zYPeL3bhmL8NnTl/EOnOzfAq3zStUunsB:3r4lXr/zieL3boQRlNn3q3ujns

Score

10^/10

formbook d6dt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d6dt

Decoy

curenveda.com

mavilitur.xyz

airdropfisher.com

jxwqeumw.click

solepowertool.com

quickmartltd.com

postbh.com

aerialcarried.click

teamabr-rfa.com

jeagma9k.click

aquaafiafoodsafety.com

dangtutu.com

lahfhg.com

patricia-lee.com

nextgencoders.tech

scercommerce.online

crates.surf

casamorganagelatos.com

dwynet.com

3genenterprisesllc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1440-142-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1440-147-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3276-152-0x0000000000F50000-0x0000000000F7F000-memory.dmp	formbook
behavioral2/memory/3276-154-0x0000000000F50000-0x0000000000F7F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 4468 set thread context of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 1440 set thread context of 3180	1440	vgwR4TopGfezKSf.exe	53
PID 3276 set thread context of 3180	3276	msdt.exe	53

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
1440	vgwR4TopGfezKSf.exe
1440	vgwR4TopGfezKSf.exe
1440	vgwR4TopGfezKSf.exe
1440	vgwR4TopGfezKSf.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe
3276	msdt.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3180	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1440	vgwR4TopGfezKSf.exe
1440	vgwR4TopGfezKSf.exe
1440	vgwR4TopGfezKSf.exe
3276	msdt.exe
3276	msdt.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1440	vgwR4TopGfezKSf.exe
Token: SeDebugPrivilege	3276	msdt.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 4468 wrote to memory of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 4468 wrote to memory of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 4468 wrote to memory of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 4468 wrote to memory of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 4468 wrote to memory of 1440	4468	vgwR4TopGfezKSf.exe	91
PID 3180 wrote to memory of 3276	3180	Explorer.EXE	93
PID 3180 wrote to memory of 3276	3180	Explorer.EXE	93
PID 3180 wrote to memory of 3276	3180	Explorer.EXE	93
PID 3276 wrote to memory of 2796	3276	msdt.exe	94
PID 3276 wrote to memory of 2796	3276	msdt.exe	94
PID 3276 wrote to memory of 2796	3276	msdt.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Users\Admin\AppData\Local\Temp\scan.tt-pdf\vgwR4TopGfezKSf.exe
  "C:\Users\Admin\AppData\Local\Temp\scan.tt-pdf\vgwR4TopGfezKSf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:4468
- - C:\Users\Admin\AppData\Local\Temp\scan.tt-pdf\vgwR4TopGfezKSf.exe
    "C:\Users\Admin\AppData\Local\Temp\scan.tt-pdf\vgwR4TopGfezKSf.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1440
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:3500
- C:\Windows\SysWOW64\msdt.exe
  "C:\Windows\SysWOW64\msdt.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3276
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\scan.tt-pdf\vgwR4TopGfezKSf.exe"
    3⤵
    PID:2796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1440-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-148-0x00000000010A0000-0x00000000010B5000-memory.dmp

Filesize
84KB

Download
memory/1440-147-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1440-145-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/3180-161-0x0000000008430000-0x000000000855F000-memory.dmp

Filesize
1.2MB

Download
memory/3180-159-0x0000000008430000-0x000000000855F000-memory.dmp

Filesize
1.2MB

Download
memory/3180-158-0x0000000008430000-0x000000000855F000-memory.dmp

Filesize
1.2MB

Download
memory/3180-155-0x0000000008C80000-0x0000000008DFD000-memory.dmp

Filesize
1.5MB

Download
memory/3180-149-0x0000000008C80000-0x0000000008DFD000-memory.dmp

Filesize
1.5MB

Download
memory/3276-153-0x0000000003260000-0x00000000035AA000-memory.dmp

Filesize
3.3MB

Download
memory/3276-154-0x0000000000F50000-0x0000000000F7F000-memory.dmp

Filesize
188KB

Download
memory/3276-157-0x0000000003030000-0x00000000030C4000-memory.dmp

Filesize
592KB

Download
memory/3276-152-0x0000000000F50000-0x0000000000F7F000-memory.dmp

Filesize
188KB

Download
memory/3276-151-0x0000000000080000-0x00000000000D7000-memory.dmp

Filesize
348KB

Download
memory/3276-150-0x0000000000080000-0x00000000000D7000-memory.dmp

Filesize
348KB

Download
memory/4468-138-0x0000000004B20000-0x0000000004B2A000-memory.dmp

Filesize
40KB

Download
memory/4468-139-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4468-140-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4468-133-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4468-144-0x0000000074970000-0x0000000075120000-memory.dmp

Filesize
7.7MB

Download
memory/4468-137-0x0000000004D90000-0x0000000004DA0000-memory.dmp

Filesize
64KB

Download
memory/4468-141-0x0000000008CD0000-0x0000000008D6C000-memory.dmp

Filesize
624KB

Download
memory/4468-136-0x0000000004B70000-0x0000000004C02000-memory.dmp

Filesize
584KB

Download
memory/4468-135-0x0000000005080000-0x0000000005624000-memory.dmp

Filesize
5.6MB

Download
memory/4468-134-0x0000000000090000-0x000000000012A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing