formbook | f1ff0af2e70fe124dff55ac39bd4907001e6f3b7db9576c61ae9a33745b391e9

General

Target

M5q4uWVi2hHJb5C.exe
Size

673KB
MD5

8f59922b722f3d9687be6fbe7560a62e
SHA1

8fa58ece4679a1583f3f63ad1e7584ddae114e02
SHA256

2cf38bc5d5c1fea2c057ec48c472636028f113bea556386f0cc8b785a3a21189
SHA512

118ed74e6d2b0377d0d32366315b3fae260d6bdc5b10b1eaad6c8747a153844a1bec55bca194411e70db71251c5324aa69a0c5133e32cb1440107c5d9afb12e9
SSDEEP

12288:8CxEd61QEWfBQYahsa5cJQAmaNzzePkzYa3Y2fTKQ+KWr:8CxcvfByhsa5+OKzzhZZ7L+pr

Score

10^/10

formbook cz30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cz30

Decoy

valeriepuma.com

rentyourbag.com

unglesbyessure.com

ahzmjy.site

taazdelights.online

conexoesnews.com

istprimeway.com

elwf4tlu.shop

661.support

fournaisehk.com

glechiu.xyz

2r2pv2.shop

902523.rip

bruggicapy.com

westmobileautodeatailers.online

muaad.co

gridxsens.com

victoronedesigns.com

tecexpressbr.com

crea4net.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 5 IoCs

rat

resource	yara_rule
behavioral1/memory/2792-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2792-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2792-22-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2972-28-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/2972-30-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1212 set thread context of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 2792 set thread context of 1228	2792	M5q4uWVi2hHJb5C.exe	18
PID 2792 set thread context of 1228	2792	M5q4uWVi2hHJb5C.exe	18
PID 2972 set thread context of 1228	2972	svchost.exe	18

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\Registry\User\S-1-5-21-452311807-3713411997-1028535425-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2	svchost.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2792	M5q4uWVi2hHJb5C.exe
2792	M5q4uWVi2hHJb5C.exe
2792	M5q4uWVi2hHJb5C.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe

Suspicious behavior: MapViewOfSection 8 IoCs

pid	Process
2792	M5q4uWVi2hHJb5C.exe
2792	M5q4uWVi2hHJb5C.exe
2792	M5q4uWVi2hHJb5C.exe
2792	M5q4uWVi2hHJb5C.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe
2972	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	M5q4uWVi2hHJb5C.exe
Token: SeDebugPrivilege	2972	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1212 wrote to memory of 2792	1212	M5q4uWVi2hHJb5C.exe	28
PID 1228 wrote to memory of 2972	1228	Explorer.EXE	30
PID 1228 wrote to memory of 2972	1228	Explorer.EXE	30
PID 1228 wrote to memory of 2972	1228	Explorer.EXE	30
PID 1228 wrote to memory of 2972	1228	Explorer.EXE	30
PID 2972 wrote to memory of 884	2972	svchost.exe	34
PID 2972 wrote to memory of 884	2972	svchost.exe	34
PID 2972 wrote to memory of 884	2972	svchost.exe	34
PID 2972 wrote to memory of 884	2972	svchost.exe	34
PID 2972 wrote to memory of 884	2972	svchost.exe	34

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1228
- C:\Users\Admin\AppData\Local\Temp\M5q4uWVi2hHJb5C.exe
  "C:\Users\Admin\AppData\Local\Temp\M5q4uWVi2hHJb5C.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Users\Admin\AppData\Local\Temp\M5q4uWVi2hHJb5C.exe
    "C:\Users\Admin\AppData\Local\Temp\M5q4uWVi2hHJb5C.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2792
- C:\Windows\SysWOW64\autoconv.exe
  "C:\Windows\SysWOW64\autoconv.exe"
  2⤵
  PID:2780
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2972
- - C:\Program Files\Mozilla Firefox\Firefox.exe
    "C:\Program Files\Mozilla Firefox\Firefox.exe"
    3⤵
    PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1212-8-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1212-6-0x00000000011F0000-0x0000000001266000-memory.dmp

Filesize
472KB

Download
memory/1212-2-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/1212-3-0x00000000006D0000-0x00000000006E4000-memory.dmp

Filesize
80KB

Download
memory/1212-0-0x0000000001280000-0x000000000132E000-memory.dmp

Filesize
696KB

Download
memory/1212-5-0x00000000008B0000-0x00000000008BE000-memory.dmp

Filesize
56KB

Download
memory/1212-1-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1212-7-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1212-4-0x00000000008A0000-0x00000000008AA000-memory.dmp

Filesize
40KB

Download
memory/1212-14-0x00000000748E0000-0x0000000074FCE000-memory.dmp

Filesize
6.9MB

Download
memory/1228-34-0x0000000004010000-0x0000000004106000-memory.dmp

Filesize
984KB

Download
memory/1228-23-0x0000000000330000-0x0000000000430000-memory.dmp

Filesize
1024KB

Download
memory/1228-25-0x00000000072A0000-0x000000000742E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-37-0x00000000072A0000-0x000000000742E000-memory.dmp

Filesize
1.6MB

Download
memory/1228-20-0x0000000004010000-0x0000000004106000-memory.dmp

Filesize
984KB

Download
memory/1228-19-0x00000000027D0000-0x00000000028D0000-memory.dmp

Filesize
1024KB

Download
memory/2792-18-0x0000000000310000-0x0000000000324000-memory.dmp

Filesize
80KB

Download
memory/2792-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-15-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download
memory/2792-24-0x0000000000350000-0x0000000000364000-memory.dmp

Filesize
80KB

Download
memory/2792-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2792-22-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2972-26-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2972-29-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/2972-30-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2972-35-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download
memory/2972-28-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/2972-27-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2972-41-0x00000000005D0000-0x0000000000663000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing