formbook | f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc

General

Target

Quotationv.exe
Size

669KB
MD5

52cfc15a97799e70a8b4a39b04bc8e2b
SHA1

2cfa4daab21dd8115167a3ccba0080f5fdad63ff
SHA256

f910b739d3d727fc1f5acde88b0740a575c603dc6c61246156c5debd6bd126bc
SHA512

95b7d0c4942703ebfec9d405bfe08efd1f11c2af3b9f65e05bef5afb3440fabcff5e5733de9bec824331d6b22c26e72419e25ca66a6948c07c0c4d4cc98fcdc3
SSDEEP

12288:lZq251MgHoOqx2sw/6h1/6tj/jrgLLZTh45s+hKeOknD1rfF32grpiAFKWDckjQc:3PjQLlahnrNbQAZgkj5

Score

10^/10

formbook pdup rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pdup

Decoy

mycharlesschwab.com

casinocode.online

lesliemostellerart.com

cdtevergreen.com

jualpenirumasli.com

lvyouonline.com

moteaiai.com

coachmo13.com

lampungtimur.com

sellmycapecodhouse.com

wearschool.com

onlinekazancyollari.com

ubmotherhood.com

sqyxedu.com

sibate518.com

energygv.com

sathsathhain.com

paperghostsbook.com

investinbritain.net

tansuokeji.ink

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2636-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2636-16-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2644-21-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook
behavioral1/memory/2644-23-0x0000000000080000-0x00000000000AE000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1840 cmd.exe

pid	process
1840	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Quotationv.exeQuotationv.exeexplorer.exe

description	pid	process	target process
PID 1672 set thread context of 2636	1672	Quotationv.exe	Quotationv.exe
PID 2636 set thread context of 1256	2636	Quotationv.exe	Explorer.EXE
PID 2644 set thread context of 1256	2644	explorer.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

Quotationv.exeQuotationv.exeexplorer.exe

pid	process
1672	Quotationv.exe
1672	Quotationv.exe
2636	Quotationv.exe
2636	Quotationv.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe
2644	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1256 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Quotationv.exeexplorer.exe

pid process

2636 Quotationv.exe
2636 Quotationv.exe
2636 Quotationv.exe
2644 explorer.exe
2644 explorer.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

Quotationv.exeQuotationv.exeexplorer.exe

description pid process

Token: SeDebugPrivilege 1672 Quotationv.exe
Token: SeDebugPrivilege 2636 Quotationv.exe
Token: SeDebugPrivilege 2644 explorer.exe

pid	process
1256	Explorer.EXE

pid	process
2636	Quotationv.exe
2636	Quotationv.exe
2636	Quotationv.exe
2644	explorer.exe
2644	explorer.exe

description	pid	process
Token: SeDebugPrivilege	1672	Quotationv.exe
Token: SeDebugPrivilege	2636	Quotationv.exe
Token: SeDebugPrivilege	2644	explorer.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Quotationv.exeExplorer.EXEexplorer.exe

description	pid	process	target process
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1672 wrote to memory of 2636	1672	Quotationv.exe	Quotationv.exe
PID 1256 wrote to memory of 2644	1256	Explorer.EXE	explorer.exe
PID 1256 wrote to memory of 2644	1256	Explorer.EXE	explorer.exe
PID 1256 wrote to memory of 2644	1256	Explorer.EXE	explorer.exe
PID 1256 wrote to memory of 2644	1256	Explorer.EXE	explorer.exe
PID 2644 wrote to memory of 1840	2644	explorer.exe	cmd.exe
PID 2644 wrote to memory of 1840	2644	explorer.exe	cmd.exe
PID 2644 wrote to memory of 1840	2644	explorer.exe	cmd.exe
PID 2644 wrote to memory of 1840	2644	explorer.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\Quotationv.exe
"C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1672

C:\Users\Admin\AppData\Local\Temp\Quotationv.exe
"{path}"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\SysWOW64\explorer.exe
"C:\Windows\SysWOW64\explorer.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2644

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Quotationv.exe"
3⤵
- Deletes itself
PID:1840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-30-0x0000000006360000-0x000000000646D000-memory.dmp

Filesize
1.1MB

Download
memory/1256-29-0x0000000006360000-0x000000000646D000-memory.dmp

Filesize
1.1MB

Download
memory/1256-28-0x0000000006360000-0x000000000646D000-memory.dmp

Filesize
1.1MB

Download
memory/1256-24-0x00000000066D0000-0x0000000006832000-memory.dmp

Filesize
1.4MB

Download
memory/1256-18-0x00000000066D0000-0x0000000006832000-memory.dmp

Filesize
1.4MB

Download
memory/1672-0-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-2-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1672-1-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-3-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/1672-4-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1672-5-0x00000000003A0000-0x00000000003E0000-memory.dmp

Filesize
256KB

Download
memory/1672-13-0x00000000748A0000-0x0000000074E4B000-memory.dmp

Filesize
5.7MB

Download
memory/2636-16-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-17-0x0000000000110000-0x0000000000124000-memory.dmp

Filesize
80KB

Download
memory/2636-14-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/2636-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2636-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2636-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2644-19-0x0000000000780000-0x0000000000A01000-memory.dmp

Filesize
2.5MB

Download
memory/2644-20-0x0000000000780000-0x0000000000A01000-memory.dmp

Filesize
2.5MB

Download
memory/2644-21-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/2644-22-0x0000000002290000-0x0000000002593000-memory.dmp

Filesize
3.0MB

Download
memory/2644-23-0x0000000000080000-0x00000000000AE000-memory.dmp

Filesize
184KB

Download
memory/2644-27-0x0000000002190000-0x0000000002223000-memory.dmp

Filesize
588KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads