formbook | fa8b2e6ab78a1b6cb804a7125624b693a9271e19a6091737534d1f471c7762c6

General

Target

Purchase Order_A7.pdf.exe
Size

613KB
MD5

5b1b412ccc9ccca7f9156c3a4e3badee
SHA1

8222046cd5c8c57d2b4e51f4b987ac339afb2461
SHA256

fa8b2e6ab78a1b6cb804a7125624b693a9271e19a6091737534d1f471c7762c6
SHA512

f6c99f41c7f58b4e9a4906911771669215f9ce7525d27c0f9f19e3263a712e5e4bbdd41b5560cc73f795176e79aaaf0ce6d3bc9068796dd3b7010a010a39a4a8
SSDEEP

12288:XhNh6sxTA6qNh3NDsJkr7ZAYkUPBzknjq2/68Q3ZfKNtX7+A7yNse8yFx5t1h:XDDxs6gzsJ+PBzknjx6vQV7wNsIFN1

Score

10^/10

formbook fw02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

photonplayground.shop

bestonlinecasinos1.com

ks3633.com

vozandvalor.com

crowdfundmylife.com

rfidci.top

onhdl.cloud

asianwithshorthair.com

m4i6g.com

sb1388.com

ekantipurdainik.com

jonesbridgeltd.com

emilylau.xyz

alveomx.com

stekloff.online

gzzzcszx.com

hi-fishop.com

eureka-fashion.shop

mprojektai.com

scaletiktokyws.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2744-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2744-19-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2860-25-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook
behavioral1/memory/2860-28-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2876 cmd.exe

pid	process
2876	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

Purchase Order_A7.pdf.exePurchase Order_A7.pdf.exeNETSTAT.EXE

description	pid	process	target process
PID 2012 set thread context of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2744 set thread context of 1228	2744	Purchase Order_A7.pdf.exe	Explorer.EXE
PID 2860 set thread context of 1228	2860	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

2860 NETSTAT.EXE

pid	process
2860	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

Purchase Order_A7.pdf.exeNETSTAT.EXE

pid	process
2744	Purchase Order_A7.pdf.exe
2744	Purchase Order_A7.pdf.exe
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE
2860	NETSTAT.EXE

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Purchase Order_A7.pdf.exeNETSTAT.EXE

pid process

2744 Purchase Order_A7.pdf.exe
2744 Purchase Order_A7.pdf.exe
2744 Purchase Order_A7.pdf.exe
2860 NETSTAT.EXE
2860 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Purchase Order_A7.pdf.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 2744 Purchase Order_A7.pdf.exe
Token: SeDebugPrivilege 2860 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid process

1228 Explorer.EXE
1228 Explorer.EXE

pid	process
1228	Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2744	Purchase Order_A7.pdf.exe
Token: SeDebugPrivilege	2860	NETSTAT.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

pid	process
1228	Explorer.EXE
1228	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

Purchase Order_A7.pdf.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 2012 wrote to memory of 2744	2012	Purchase Order_A7.pdf.exe	Purchase Order_A7.pdf.exe
PID 1228 wrote to memory of 2860	1228	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 2860	1228	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 2860	1228	Explorer.EXE	NETSTAT.EXE
PID 1228 wrote to memory of 2860	1228	Explorer.EXE	NETSTAT.EXE
PID 2860 wrote to memory of 2876	2860	NETSTAT.EXE	cmd.exe
PID 2860 wrote to memory of 2876	2860	NETSTAT.EXE	cmd.exe
PID 2860 wrote to memory of 2876	2860	NETSTAT.EXE	cmd.exe
PID 2860 wrote to memory of 2876	2860	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1228

C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2744

C:\Windows\SysWOW64\autoconv.exe
"C:\Windows\SysWOW64\autoconv.exe"
2⤵
PID:2472

C:\Windows\SysWOW64\autofmt.exe
"C:\Windows\SysWOW64\autofmt.exe"
2⤵
PID:2768

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order_A7.pdf.exe"
3⤵
- Deletes itself
PID:2876

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1228-35-0x0000000006CA0000-0x0000000006D86000-memory.dmp

Filesize
920KB

Download
memory/1228-22-0x0000000006B20000-0x0000000006C97000-memory.dmp

Filesize
1.5MB

Download
memory/1228-27-0x0000000006B20000-0x0000000006C97000-memory.dmp

Filesize
1.5MB

Download
memory/1228-31-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1228-20-0x0000000002E80000-0x0000000002F80000-memory.dmp

Filesize
1024KB

Download
memory/1228-32-0x0000000006CA0000-0x0000000006D86000-memory.dmp

Filesize
920KB

Download
memory/1228-33-0x0000000006CA0000-0x0000000006D86000-memory.dmp

Filesize
920KB

Download
memory/2012-4-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2012-8-0x0000000004FD0000-0x000000000503E000-memory.dmp

Filesize
440KB

Download
memory/2012-7-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/2012-6-0x0000000001130000-0x0000000001170000-memory.dmp

Filesize
256KB

Download
memory/2012-5-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-3-0x0000000000220000-0x000000000023C000-memory.dmp

Filesize
112KB

Download
memory/2012-16-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2012-0-0x0000000001180000-0x0000000001220000-memory.dmp

Filesize
640KB

Download
memory/2012-2-0x0000000001130000-0x0000000001170000-memory.dmp

Filesize
256KB

Download
memory/2012-1-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2744-17-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/2744-21-0x0000000000180000-0x0000000000195000-memory.dmp

Filesize
84KB

Download
memory/2744-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2744-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2744-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2860-23-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/2860-24-0x0000000000950000-0x0000000000959000-memory.dmp

Filesize
36KB

Download
memory/2860-25-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2860-26-0x0000000002090000-0x0000000002393000-memory.dmp

Filesize
3.0MB

Download
memory/2860-28-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download
memory/2860-30-0x0000000001F00000-0x0000000001F94000-memory.dmp

Filesize
592KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads