formbook | 9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784

General

Target

Confirmação do pedido.pdf.exe
Size

590KB
MD5

2f9e1385a9c419ad70bb121e4250ae0a
SHA1

ee2018b7427e3eccd78683018864043a72d841a9
SHA256

9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784
SHA512

9c7a9d86a29729b1189a027e11c40175928c2c76355678ebaa06a08b42a8b0d6c0e6ba6237d61aa81a8a80e8b9d52b22c877f45dd74a233c720fee10e6419917
SSDEEP

12288:IS4CMwNNFJyvdgH7RPTwerlTuzRjynjSGqaJt2m8:IMFggH7RbweRTuzJsjSGqaJsm8

Score

10^/10

formbook o22d rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o22d

Decoy

stillsfengservices.com

protectagainstcrime.com

winiboya.com

mindbeforemusic.com

giyelz1i5.sbs

coin8899.com

coolgirls.club

ssdcf1416aasx.world

heir.solutions

soulmatchup.xyz

ingenetpy.com

knkvdqt5g.sbs

vireoremedy.com

leopolis.rent

apartment-for-rent-314.space

theenlightenedmotherhood.com

zidao.cloud

oi7982jbacdbfssagroup.monster

anandasnacks.com

start.beer

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/892-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/892-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3260-21-0x0000000001450000-0x000000000147F000-memory.dmp	formbook
behavioral2/memory/3260-23-0x0000000001450000-0x000000000147F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Confirmação do pedido.pdf.exeConfirmação do pedido.pdf.exeWWAHost.exe

description	pid	process	target process
PID 3896 set thread context of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 892 set thread context of 3408	892	Confirmação do pedido.pdf.exe	Explorer.EXE
PID 3260 set thread context of 3408	3260	WWAHost.exe	Explorer.EXE

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

Confirmação do pedido.pdf.exeWWAHost.exe

pid	process
892	Confirmação do pedido.pdf.exe
892	Confirmação do pedido.pdf.exe
892	Confirmação do pedido.pdf.exe
892	Confirmação do pedido.pdf.exe
892	Confirmação do pedido.pdf.exe
892	Confirmação do pedido.pdf.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe
3260	WWAHost.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Confirmação do pedido.pdf.exeWWAHost.exe

pid process

892 Confirmação do pedido.pdf.exe
892 Confirmação do pedido.pdf.exe
892 Confirmação do pedido.pdf.exe
3260 WWAHost.exe
3260 WWAHost.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

Processes:

Confirmação do pedido.pdf.exeWWAHost.exeExplorer.EXE

description	pid	process
Token: SeDebugPrivilege	892	Confirmação do pedido.pdf.exe
Token: SeDebugPrivilege	3260	WWAHost.exe
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE
Token: SeShutdownPrivilege	3408	Explorer.EXE
Token: SeCreatePagefilePrivilege	3408	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3408 Explorer.EXE

pid	process
3408	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Confirmação do pedido.pdf.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 3896 wrote to memory of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 3896 wrote to memory of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 3896 wrote to memory of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 3896 wrote to memory of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 3896 wrote to memory of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 3896 wrote to memory of 892	3896	Confirmação do pedido.pdf.exe	Confirmação do pedido.pdf.exe
PID 3408 wrote to memory of 3260	3408	Explorer.EXE	WWAHost.exe
PID 3408 wrote to memory of 3260	3408	Explorer.EXE	WWAHost.exe
PID 3408 wrote to memory of 3260	3408	Explorer.EXE	WWAHost.exe
PID 3260 wrote to memory of 2868	3260	WWAHost.exe	cmd.exe
PID 3260 wrote to memory of 2868	3260	WWAHost.exe	cmd.exe
PID 3260 wrote to memory of 2868	3260	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\Confirmação do pedido.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmação do pedido.pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3896

C:\Users\Admin\AppData\Local\Temp\Confirmação do pedido.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Confirmação do pedido.pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:892

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3260

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Confirmação do pedido.pdf.exe"
3⤵
PID:2868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/892-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-16-0x00000000010D0000-0x00000000010E4000-memory.dmp

Filesize
80KB

Download
memory/892-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/892-13-0x00000000011A0000-0x00000000014EA000-memory.dmp

Filesize
3.3MB

Download
memory/3260-21-0x0000000001450000-0x000000000147F000-memory.dmp

Filesize
188KB

Download
memory/3260-18-0x0000000000D00000-0x0000000000DDC000-memory.dmp

Filesize
880KB

Download
memory/3260-25-0x0000000001DD0000-0x0000000001E63000-memory.dmp

Filesize
588KB

Download
memory/3260-23-0x0000000001450000-0x000000000147F000-memory.dmp

Filesize
188KB

Download
memory/3260-22-0x0000000001F30000-0x000000000227A000-memory.dmp

Filesize
3.3MB

Download
memory/3260-20-0x0000000000D00000-0x0000000000DDC000-memory.dmp

Filesize
880KB

Download
memory/3408-17-0x000000000AF60000-0x000000000B0CA000-memory.dmp

Filesize
1.4MB

Download
memory/3408-26-0x000000000AF60000-0x000000000B0CA000-memory.dmp

Filesize
1.4MB

Download
memory/3408-32-0x0000000008B60000-0x0000000008C0A000-memory.dmp

Filesize
680KB

Download
memory/3408-29-0x0000000008B60000-0x0000000008C0A000-memory.dmp

Filesize
680KB

Download
memory/3408-28-0x0000000008B60000-0x0000000008C0A000-memory.dmp

Filesize
680KB

Download
memory/3896-9-0x0000000008C30000-0x0000000008CCC000-memory.dmp

Filesize
624KB

Download
memory/3896-5-0x0000000004CE0000-0x0000000004CEA000-memory.dmp

Filesize
40KB

Download
memory/3896-12-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3896-0-0x0000000000240000-0x00000000002DA000-memory.dmp

Filesize
616KB

Download
memory/3896-8-0x00000000061E0000-0x0000000006256000-memory.dmp

Filesize
472KB

Download
memory/3896-7-0x0000000005080000-0x000000000508C000-memory.dmp

Filesize
48KB

Download
memory/3896-6-0x0000000004D30000-0x0000000004D42000-memory.dmp

Filesize
72KB

Download
memory/3896-4-0x0000000004F30000-0x0000000004F40000-memory.dmp

Filesize
64KB

Download
memory/3896-1-0x00000000743D0000-0x0000000074B80000-memory.dmp

Filesize
7.7MB

Download
memory/3896-2-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/3896-3-0x0000000004D40000-0x0000000004DD2000-memory.dmp

Filesize
584KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads