formbook | cc0f366752ad8832bf26a387da04626c8db6f00a69d5a98ce5934d0db01c1329

General

Target

rProductSpecs.exe
Size

594KB
MD5

05579b705197cc4ff3728af6d4d49f08
SHA1

89fb958792780a68990427aa3d8dfc9262c05dc1
SHA256

cc0f366752ad8832bf26a387da04626c8db6f00a69d5a98ce5934d0db01c1329
SHA512

b2bb887f3f07aa64afd7d3c6afce1532c83d380b25e0ef984ac591e3a4aac4980f18367370ddfbb0028bedc43b2ca4020f2b99fa149c75cff6e1ed7ed7b113bc
SSDEEP

12288:fbqwi/iWsjKX/Covqtk1Nla6KU9HTk8WjssUD1hZfxgEqD:jqwiiW9CysDOg8fh9xC

Score

10^/10

formbook hinf rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hinf

Decoy

gemaprojects.com

infinitymarketingsystems.com

pustmegfram.com

mydetailaccelerator.com

zeusoffyp6.click

thegoddessofthehunt.com

abajim.com

jctrhc78.com

iyouiyiti.com

jobscnwire.com

emirates-tobacco.com

onledutech.com

medicinefloor.com

lghyr.fun

dohodnaavtomate.online

fbaxqevemd7.xyz

descontode70porcento.online

assmaco.com

bb845933.site

pinapplecapital.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2820-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2820-19-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2884-24-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2884-26-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2852	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1716 set thread context of 2820	1716	rProductSpecs.exe	30
PID 2820 set thread context of 1400	2820	rProductSpecs.exe	13
PID 2884 set thread context of 1400	2884	svchost.exe	13

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2820	rProductSpecs.exe
2820	rProductSpecs.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe
2884	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1400	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2820	rProductSpecs.exe
2820	rProductSpecs.exe
2820	rProductSpecs.exe
2884	svchost.exe
2884	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2820	rProductSpecs.exe
Token: SeDebugPrivilege	2884	svchost.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1716 wrote to memory of 2820	1716	rProductSpecs.exe	30
PID 1400 wrote to memory of 2884	1400	Explorer.EXE	31
PID 1400 wrote to memory of 2884	1400	Explorer.EXE	31
PID 1400 wrote to memory of 2884	1400	Explorer.EXE	31
PID 1400 wrote to memory of 2884	1400	Explorer.EXE	31
PID 2884 wrote to memory of 2852	2884	svchost.exe	32
PID 2884 wrote to memory of 2852	2884	svchost.exe	32
PID 2884 wrote to memory of 2852	2884	svchost.exe	32
PID 2884 wrote to memory of 2852	2884	svchost.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe
  "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe
    "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2820
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\rProductSpecs.exe"
    3⤵
    - Deletes itself
    PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1400-42-0x000007FE835A0000-0x000007FE835AA000-memory.dmp

Filesize
40KB

Download
memory/1400-30-0x0000000009170000-0x00000000092E7000-memory.dmp

Filesize
1.5MB

Download
memory/1400-21-0x0000000006D80000-0x0000000006F28000-memory.dmp

Filesize
1.7MB

Download
memory/1400-32-0x0000000009170000-0x00000000092E7000-memory.dmp

Filesize
1.5MB

Download
memory/1400-29-0x0000000009170000-0x00000000092E7000-memory.dmp

Filesize
1.5MB

Download
memory/1400-38-0x000007FEF58B0000-0x000007FEF59F3000-memory.dmp

Filesize
1.3MB

Download
memory/1400-39-0x000007FE835A0000-0x000007FE835AA000-memory.dmp

Filesize
40KB

Download
memory/1400-41-0x000007FEF58B0000-0x000007FEF59F3000-memory.dmp

Filesize
1.3MB

Download
memory/1716-4-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-8-0x0000000005680000-0x00000000056EE000-memory.dmp

Filesize
440KB

Download
memory/1716-7-0x0000000000590000-0x000000000059E000-memory.dmp

Filesize
56KB

Download
memory/1716-6-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/1716-5-0x00000000045E0000-0x0000000004620000-memory.dmp

Filesize
256KB

Download
memory/1716-16-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-0-0x0000000074530000-0x0000000074C1E000-memory.dmp

Filesize
6.9MB

Download
memory/1716-3-0x0000000001E10000-0x0000000001E2A000-memory.dmp

Filesize
104KB

Download
memory/1716-2-0x00000000045E0000-0x0000000004620000-memory.dmp

Filesize
256KB

Download
memory/1716-1-0x0000000000970000-0x0000000000A0A000-memory.dmp

Filesize
616KB

Download
memory/2820-17-0x0000000000A10000-0x0000000000D13000-memory.dmp

Filesize
3.0MB

Download
memory/2820-20-0x0000000000290000-0x00000000002A4000-memory.dmp

Filesize
80KB

Download
memory/2820-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2820-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2820-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2884-23-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download
memory/2884-24-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2884-25-0x0000000000760000-0x0000000000A63000-memory.dmp

Filesize
3.0MB

Download
memory/2884-26-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2884-28-0x00000000004D0000-0x0000000000563000-memory.dmp

Filesize
588KB

Download
memory/2884-22-0x0000000000120000-0x0000000000128000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing