formbook | 6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b

General

Target

tmp.exe
Size

710KB
MD5

493562fc3240d634f797be4a433d72c7
SHA1

92569595aa0a20d9937bd03525a756dd35059d3b
SHA256

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b
SHA512

70eb16d06d38d80cc4513962f6fbdeda54e6ec2bc30caa9fb112d3cd355b12c088426c823d3d4a3e315209b3fc908c0339e9cdc8de99462e87eba311f4801a75
SSDEEP

12288:406gna2iNP1UIkvEbtOgVt3KB6bxxXRZEG/p8fD5mcjtqlg6utz5l96OXaq:XTa1F14ot1aIxxAop+mc0g6MNa

Score

10^/10

formbook ro12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ro12

Decoy

start399.com

decyfincoin.com

binguozhijiaok.com

one45.vip

55dy5s.top

regmt.pro

2ahxgaafifl.com

xn--6rtp2flvfc2h.com

justinmburns.com

los3.online

fleshaaikensdivinegiven7llc.com

servicedelv.services

apexcaryhomesforsale.com

shuraop.xyz

sagetotal.com

gratitude-et-compagnie.com

riderarea.com

digitalserviceact.online

contentbyc.com

agenda-digital-planner.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2932-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2932-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2520-21-0x0000000000070000-0x000000000009F000-memory.dmp	formbook
behavioral1/memory/2520-23-0x0000000000070000-0x000000000009F000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2652 cmd.exe

pid	process
2652	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

tmp.exetmp.exewscript.exe

description	pid	process	target process
PID 2172 set thread context of 2932	2172	tmp.exe	tmp.exe
PID 2932 set thread context of 1244	2932	tmp.exe	Explorer.EXE
PID 2520 set thread context of 1244	2520	wscript.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

tmp.exetmp.exewscript.exe

pid	process
2172	tmp.exe
2172	tmp.exe
2172	tmp.exe
2172	tmp.exe
2172	tmp.exe
2172	tmp.exe
2172	tmp.exe
2932	tmp.exe
2932	tmp.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe
2520	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1244 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

tmp.exewscript.exe

pid process

2932 tmp.exe
2932 tmp.exe
2932 tmp.exe
2520 wscript.exe
2520 wscript.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

tmp.exetmp.exewscript.exe

description pid process

Token: SeDebugPrivilege 2172 tmp.exe
Token: SeDebugPrivilege 2932 tmp.exe
Token: SeDebugPrivilege 2520 wscript.exe

pid	process
1244	Explorer.EXE

pid	process
2932	tmp.exe
2932	tmp.exe
2932	tmp.exe
2520	wscript.exe
2520	wscript.exe

description	pid	process
Token: SeDebugPrivilege	2172	tmp.exe
Token: SeDebugPrivilege	2932	tmp.exe
Token: SeDebugPrivilege	2520	wscript.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

tmp.exeExplorer.EXEwscript.exe

description	pid	process	target process
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 2172 wrote to memory of 2932	2172	tmp.exe	tmp.exe
PID 1244 wrote to memory of 2520	1244	Explorer.EXE	wscript.exe
PID 1244 wrote to memory of 2520	1244	Explorer.EXE	wscript.exe
PID 1244 wrote to memory of 2520	1244	Explorer.EXE	wscript.exe
PID 1244 wrote to memory of 2520	1244	Explorer.EXE	wscript.exe
PID 2520 wrote to memory of 2652	2520	wscript.exe	cmd.exe
PID 2520 wrote to memory of 2652	2520	wscript.exe	cmd.exe
PID 2520 wrote to memory of 2652	2520	wscript.exe	cmd.exe
PID 2520 wrote to memory of 2652	2520	wscript.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1244
- C:\Users\Admin\AppData\Local\Temp\tmp.exe
  "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2172
- - C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2932
- C:\Windows\SysWOW64\wscript.exe
  "C:\Windows\SysWOW64\wscript.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    3⤵
    - Deletes itself
    PID:2652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1244-18-0x0000000005050000-0x00000000051A8000-memory.dmp

Filesize
1.3MB

Download
memory/1244-30-0x0000000004D40000-0x0000000004E15000-memory.dmp

Filesize
852KB

Download
memory/1244-28-0x0000000004D40000-0x0000000004E15000-memory.dmp

Filesize
852KB

Download
memory/1244-27-0x0000000004D40000-0x0000000004E15000-memory.dmp

Filesize
852KB

Download
memory/1244-24-0x0000000005050000-0x00000000051A8000-memory.dmp

Filesize
1.3MB

Download
memory/2172-13-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-5-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2172-7-0x0000000005E70000-0x0000000005EDE000-memory.dmp

Filesize
440KB

Download
memory/2172-1-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-2-0x0000000001F00000-0x0000000001F40000-memory.dmp

Filesize
256KB

Download
memory/2172-3-0x00000000005B0000-0x00000000005C8000-memory.dmp

Filesize
96KB

Download
memory/2172-4-0x00000000742A0000-0x000000007498E000-memory.dmp

Filesize
6.9MB

Download
memory/2172-0-0x00000000002B0000-0x0000000000368000-memory.dmp

Filesize
736KB

Download
memory/2172-6-0x0000000000590000-0x000000000059A000-memory.dmp

Filesize
40KB

Download
memory/2520-23-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2520-20-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/2520-19-0x0000000000240000-0x0000000000266000-memory.dmp

Filesize
152KB

Download
memory/2520-21-0x0000000000070000-0x000000000009F000-memory.dmp

Filesize
188KB

Download
memory/2520-22-0x00000000020D0000-0x00000000023D3000-memory.dmp

Filesize
3.0MB

Download
memory/2520-26-0x00000000023E0000-0x0000000002473000-memory.dmp

Filesize
588KB

Download
memory/2932-17-0x0000000000280000-0x0000000000294000-memory.dmp

Filesize
80KB

Download
memory/2932-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-14-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/2932-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2932-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2932-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads