formbook | cfe71b8bd0a8d2dfc025eb646af5c1ffadb0e466ee4ddbec62b6ef5fa54ffad9

General

Target

Dekont.pdf.exe
Size

523KB
MD5

00c530ddcfaeed76880d3813eb299fd0
SHA1

1804eca4b9abfae9be3bf90575142044b6768a1f
SHA256

d8d4a283c2cf6b0b3339d73021955f68d748cad0fd0646f84dbba778e682253e
SHA512

3712037c8188d696570a621960e6ac077dc2fbc9bb92398df96d137635c6bc25ba54895c3a80f993ec6d3c7c7a707b9167f23b39a853591067332ff59f325d60
SSDEEP

12288:94/Mb60lGYuvC6Zea5M38EHOFdnEqX3o3AgX4N6:Q0lLuK61u8ScnD0AN6

Score

10^/10

formbook mh21 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh21

Decoy

qiandaye.top

zltgw.com

getxgp.link

forest-create.site

parsefilm.com

foodstore.top

reynoldsquality.com

tripleshops.com

altuwaijrifood.com

seniorassistedlivinglocator.com

essencedelanature.com

hrwv098.xyz

olkja.xyz

10685johansen.com

ajidenhp.com

sensifiedregistration.com

timetodatings.life

bizbet-review-pt.com

zhangming.asia

xn--vhq074eeozsda.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2224-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2224-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2128 set thread context of 2224	2128	Dekont.pdf.exe	28
PID 2224 set thread context of 1288	2224	aspnet_compiler.exe	13

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2664	2476	WerFault.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2224	aspnet_compiler.exe
2224	aspnet_compiler.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1288	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2224	aspnet_compiler.exe
2224	aspnet_compiler.exe
2224	aspnet_compiler.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	aspnet_compiler.exe
Token: SeShutdownPrivilege	1288	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 2128 wrote to memory of 2224	2128	Dekont.pdf.exe	28
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 1288 wrote to memory of 2476	1288	Explorer.EXE	29
PID 2476 wrote to memory of 2664	2476	msiexec.exe	30
PID 2476 wrote to memory of 2664	2476	msiexec.exe	30
PID 2476 wrote to memory of 2664	2476	msiexec.exe	30
PID 2476 wrote to memory of 2664	2476	msiexec.exe	30

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe
  "C:\Users\Admin\AppData\Local\Temp\Dekont.pdf.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\SysWOW64\msiexec.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2476
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2476 -s 272
    3⤵
    - Program crash
    PID:2664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-26-0x0000000006B60000-0x0000000006C81000-memory.dmp

Filesize
1.1MB

Download
memory/1288-20-0x0000000006B60000-0x0000000006C81000-memory.dmp

Filesize
1.1MB

Download
memory/1288-19-0x0000000000210000-0x0000000000310000-memory.dmp

Filesize
1024KB

Download
memory/2128-14-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-1-0x0000000074560000-0x0000000074C4E000-memory.dmp

Filesize
6.9MB

Download
memory/2128-2-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2128-3-0x0000000000580000-0x00000000005E0000-memory.dmp

Filesize
384KB

Download
memory/2128-4-0x00000000021D0000-0x000000000222E000-memory.dmp

Filesize
376KB

Download
memory/2128-5-0x00000000003F0000-0x000000000043E000-memory.dmp

Filesize
312KB

Download
memory/2128-6-0x0000000002230000-0x000000000227C000-memory.dmp

Filesize
304KB

Download
memory/2128-0-0x0000000000BA0000-0x0000000000C2A000-memory.dmp

Filesize
552KB

Download
memory/2224-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-15-0x0000000000810000-0x0000000000B13000-memory.dmp

Filesize
3.0MB

Download
memory/2224-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2224-18-0x0000000000320000-0x0000000000334000-memory.dmp

Filesize
80KB

Download
memory/2224-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2224-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2476-21-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download
memory/2476-22-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download
memory/2476-24-0x0000000000BC0000-0x0000000000BD4000-memory.dmp

Filesize
80KB

Download

Analysis

Sharing