formbook | fa8b2e6ab78a1b6cb804a7125624b693a9271e19a6091737534d1f471c7762c6

General

Target

Purchase Order_A7.pdf.exe
Size

613KB
MD5

5b1b412ccc9ccca7f9156c3a4e3badee
SHA1

8222046cd5c8c57d2b4e51f4b987ac339afb2461
SHA256

fa8b2e6ab78a1b6cb804a7125624b693a9271e19a6091737534d1f471c7762c6
SHA512

f6c99f41c7f58b4e9a4906911771669215f9ce7525d27c0f9f19e3263a712e5e4bbdd41b5560cc73f795176e79aaaf0ce6d3bc9068796dd3b7010a010a39a4a8
SSDEEP

12288:XhNh6sxTA6qNh3NDsJkr7ZAYkUPBzknjq2/68Q3ZfKNtX7+A7yNse8yFx5t1h:XDDxs6gzsJ+PBzknjx6vQV7wNsIFN1

Score

10^/10

formbook fw02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

photonplayground.shop

bestonlinecasinos1.com

ks3633.com

vozandvalor.com

crowdfundmylife.com

rfidci.top

onhdl.cloud

asianwithshorthair.com

m4i6g.com

sb1388.com

ekantipurdainik.com

jonesbridgeltd.com

emilylau.xyz

alveomx.com

stekloff.online

gzzzcszx.com

hi-fishop.com

eureka-fashion.shop

mprojektai.com

scaletiktokyws.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4052-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4052-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4844-24-0x0000000000A20000-0x0000000000A4F000-memory.dmp	formbook
behavioral2/memory/4844-26-0x0000000000A20000-0x0000000000A4F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order_A7.pdf.exePurchase Order_A7.pdf.exeraserver.exe

description	pid	process	target process
PID 2792 set thread context of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 4052 set thread context of 3296	4052	Purchase Order_A7.pdf.exe	Explorer.EXE
PID 4844 set thread context of 3296	4844	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Purchase Order_A7.pdf.exeraserver.exe

pid	process
4052	Purchase Order_A7.pdf.exe
4052	Purchase Order_A7.pdf.exe
4052	Purchase Order_A7.pdf.exe
4052	Purchase Order_A7.pdf.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe
4844	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3296 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Purchase Order_A7.pdf.exeraserver.exe

pid process

4052 Purchase Order_A7.pdf.exe
4052 Purchase Order_A7.pdf.exe
4052 Purchase Order_A7.pdf.exe
4844 raserver.exe
4844 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order_A7.pdf.exeraserver.exe

description pid process

Token: SeDebugPrivilege 4052 Purchase Order_A7.pdf.exe
Token: SeDebugPrivilege 4844 raserver.exe

pid	process
3296	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	4052	Purchase Order_A7.pdf.exe
Token: SeDebugPrivilege	4844	raserver.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Purchase Order_A7.pdf.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2792 wrote to memory of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2792 wrote to memory of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2792 wrote to memory of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2792 wrote to memory of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2792 wrote to memory of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2792 wrote to memory of 4052	2792	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 3296 wrote to memory of 4844	3296	Explorer.EXE	raserver.exe
PID 3296 wrote to memory of 4844	3296	Explorer.EXE	raserver.exe
PID 3296 wrote to memory of 4844	3296	Explorer.EXE	raserver.exe
PID 4844 wrote to memory of 2416	4844	raserver.exe	cmd.exe
PID 4844 wrote to memory of 2416	4844	raserver.exe	cmd.exe
PID 4844 wrote to memory of 2416	4844	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4052

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4844

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
3⤵
PID:2416

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2792-15-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2792-4-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2792-0-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2792-3-0x0000000004CA0000-0x0000000004D32000-memory.dmp

Filesize
584KB

Download
memory/2792-11-0x000000000B010000-0x000000000B07E000-memory.dmp

Filesize
440KB

Download
memory/2792-5-0x0000000002930000-0x000000000293A000-memory.dmp

Filesize
40KB

Download
memory/2792-6-0x0000000004DB0000-0x0000000004DCC000-memory.dmp

Filesize
112KB

Download
memory/2792-7-0x0000000002920000-0x000000000292C000-memory.dmp

Filesize
48KB

Download
memory/2792-8-0x0000000074400000-0x0000000074BB0000-memory.dmp

Filesize
7.7MB

Download
memory/2792-9-0x0000000004F20000-0x0000000004F30000-memory.dmp

Filesize
64KB

Download
memory/2792-10-0x0000000004E10000-0x0000000004E20000-memory.dmp

Filesize
64KB

Download
memory/2792-1-0x0000000000230000-0x00000000002D0000-memory.dmp

Filesize
640KB

Download
memory/2792-12-0x000000000E5B0000-0x000000000E64C000-memory.dmp

Filesize
624KB

Download
memory/2792-2-0x00000000053E0000-0x0000000005984000-memory.dmp

Filesize
5.6MB

Download
memory/3296-27-0x0000000007C80000-0x0000000007D77000-memory.dmp

Filesize
988KB

Download
memory/3296-33-0x0000000008F80000-0x0000000009095000-memory.dmp

Filesize
1.1MB

Download
memory/3296-31-0x0000000008F80000-0x0000000009095000-memory.dmp

Filesize
1.1MB

Download
memory/3296-20-0x0000000007C80000-0x0000000007D77000-memory.dmp

Filesize
988KB

Download
memory/3296-30-0x0000000008F80000-0x0000000009095000-memory.dmp

Filesize
1.1MB

Download
memory/4052-19-0x0000000001E20000-0x0000000001E35000-memory.dmp

Filesize
84KB

Download
memory/4052-16-0x00000000019D0000-0x0000000001D1A000-memory.dmp

Filesize
3.3MB

Download
memory/4052-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4052-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4844-21-0x0000000000730000-0x000000000074F000-memory.dmp

Filesize
124KB

Download
memory/4844-26-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download
memory/4844-29-0x0000000002880000-0x0000000002914000-memory.dmp

Filesize
592KB

Download
memory/4844-25-0x0000000002A90000-0x0000000002DDA000-memory.dmp

Filesize
3.3MB

Download
memory/4844-23-0x0000000000730000-0x000000000074F000-memory.dmp

Filesize
124KB

Download
memory/4844-24-0x0000000000A20000-0x0000000000A4F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads