formbook | fa8b2e6ab78a1b6cb804a7125624b693a9271e19a6091737534d1f471c7762c6

General

Target

Purchase Order_A7.pdf.exe
Size

613KB
MD5

5b1b412ccc9ccca7f9156c3a4e3badee
SHA1

8222046cd5c8c57d2b4e51f4b987ac339afb2461
SHA256

fa8b2e6ab78a1b6cb804a7125624b693a9271e19a6091737534d1f471c7762c6
SHA512

f6c99f41c7f58b4e9a4906911771669215f9ce7525d27c0f9f19e3263a712e5e4bbdd41b5560cc73f795176e79aaaf0ce6d3bc9068796dd3b7010a010a39a4a8
SSDEEP

12288:XhNh6sxTA6qNh3NDsJkr7ZAYkUPBzknjq2/68Q3ZfKNtX7+A7yNse8yFx5t1h:XDDxs6gzsJ+PBzknjx6vQV7wNsIFN1

Score

10^/10

formbook fw02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

photonplayground.shop

bestonlinecasinos1.com

ks3633.com

vozandvalor.com

crowdfundmylife.com

rfidci.top

onhdl.cloud

asianwithshorthair.com

m4i6g.com

sb1388.com

ekantipurdainik.com

jonesbridgeltd.com

emilylau.xyz

alveomx.com

stekloff.online

gzzzcszx.com

hi-fishop.com

eureka-fashion.shop

mprojektai.com

scaletiktokyws.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2740-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2740-19-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2740-23-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2684-29-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2684-31-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1704 cmd.exe

pid	process
1704	cmd.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

Purchase Order_A7.pdf.exePurchase Order_A7.pdf.execmd.exe

description	pid	process	target process
PID 2664 set thread context of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2740 set thread context of 1236	2740	Purchase Order_A7.pdf.exe	Explorer.EXE
PID 2740 set thread context of 1236	2740	Purchase Order_A7.pdf.exe	Explorer.EXE
PID 2684 set thread context of 1236	2684	cmd.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Purchase Order_A7.pdf.execmd.exe

pid	process
2740	Purchase Order_A7.pdf.exe
2740	Purchase Order_A7.pdf.exe
2740	Purchase Order_A7.pdf.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe
2684	cmd.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

Purchase Order_A7.pdf.execmd.exe

pid process

2740 Purchase Order_A7.pdf.exe
2740 Purchase Order_A7.pdf.exe
2740 Purchase Order_A7.pdf.exe
2740 Purchase Order_A7.pdf.exe
2684 cmd.exe
2684 cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order_A7.pdf.execmd.exe

description pid process

Token: SeDebugPrivilege 2740 Purchase Order_A7.pdf.exe
Token: SeDebugPrivilege 2684 cmd.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1236 Explorer.EXE
1236 Explorer.EXE

pid	process
1236	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2740	Purchase Order_A7.pdf.exe
Token: SeDebugPrivilege	2684	cmd.exe

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

pid	process
1236	Explorer.EXE
1236	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Purchase Order_A7.pdf.exeExplorer.EXEcmd.exe

description	pid	process	target process
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2664 wrote to memory of 2740	2664	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 1236 wrote to memory of 2684	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2684	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2684	1236	Explorer.EXE	cmd.exe
PID 1236 wrote to memory of 2684	1236	Explorer.EXE	cmd.exe
PID 2684 wrote to memory of 1704	2684	cmd.exe	cmd.exe
PID 2684 wrote to memory of 1704	2684	cmd.exe	cmd.exe
PID 2684 wrote to memory of 1704	2684	cmd.exe	cmd.exe
PID 2684 wrote to memory of 1704	2684	cmd.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1236

C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2664

C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2740

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\SysWOW64\cmd.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2684

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
3⤵
- Deletes itself
PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1236-39-0x0000000009910000-0x0000000009A7E000-memory.dmp

Filesize
1.4MB

Download
memory/1236-26-0x0000000008DC0000-0x0000000008F34000-memory.dmp

Filesize
1.5MB

Download
memory/1236-32-0x0000000008DC0000-0x0000000008F34000-memory.dmp

Filesize
1.5MB

Download
memory/1236-35-0x00000000038E0000-0x00000000039E0000-memory.dmp

Filesize
1024KB

Download
memory/1236-21-0x0000000005EB0000-0x0000000005FA6000-memory.dmp

Filesize
984KB

Download
memory/1236-36-0x0000000009910000-0x0000000009A7E000-memory.dmp

Filesize
1.4MB

Download
memory/1236-37-0x0000000009910000-0x0000000009A7E000-memory.dmp

Filesize
1.4MB

Download
memory/2664-4-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2664-8-0x0000000004940000-0x00000000049AE000-memory.dmp

Filesize
440KB

Download
memory/2664-7-0x00000000005C0000-0x00000000005D0000-memory.dmp

Filesize
64KB

Download
memory/2664-6-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2664-5-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-3-0x0000000000610000-0x000000000062C000-memory.dmp

Filesize
112KB

Download
memory/2664-16-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2664-2-0x0000000004A00000-0x0000000004A40000-memory.dmp

Filesize
256KB

Download
memory/2664-0-0x0000000000220000-0x00000000002C0000-memory.dmp

Filesize
640KB

Download
memory/2664-1-0x0000000074E70000-0x000000007555E000-memory.dmp

Filesize
6.9MB

Download
memory/2684-30-0x00000000020B0000-0x00000000023B3000-memory.dmp

Filesize
3.0MB

Download
memory/2684-34-0x0000000001FD0000-0x0000000002064000-memory.dmp

Filesize
592KB

Download
memory/2684-31-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2684-29-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2684-27-0x000000004A9C0000-0x000000004AA0C000-memory.dmp

Filesize
304KB

Download
memory/2684-28-0x000000004A9C0000-0x000000004AA0C000-memory.dmp

Filesize
304KB

Download
memory/2740-20-0x0000000000200000-0x0000000000215000-memory.dmp

Filesize
84KB

Download
memory/2740-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-23-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-17-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/2740-24-0x0000000000770000-0x0000000000785000-memory.dmp

Filesize
84KB

Download
memory/2740-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2740-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2740-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads