formbook | 68a5d1f3cde5948d9b3d0c55942b19ca859f859af258cadcdc724351ee5e5401

General

Target

Request for Quotation...pdf.exe
Size

885KB
MD5

c489912068a72c74eb218562beeaaf8a
SHA1

6348afcd2c4645d983f6982bc3271646a3049fd5
SHA256

78ddeffb28de453b1235da58833f3e8532635bf556fb2ef23e25aa58b15506b0
SHA512

3d0ad7e47472b69026658d64017cc8aa30843c5757b521bb6edc7fdf8ec9a3bff889233ab38c8b3e58308beea2c150498ff78edef01b93107b3843881618b4b3
SSDEEP

12288:E3hYkBcPwb/nRlnGWsDzvFXQKoXVtnL+BpD2ePG72HrV7:hK/RlnE58fnKrvPG7gr

Score

10^/10

formbook jdge rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jdge

Decoy

cungcaptapvu.com

lantianren.net

mydivorcepsychologist.com

bageurapparel.com

citydealmaker.com

historyegress.com

litekkutu.xyz

perksofkerala.com

flairmax.com

washingmachineservicerepair.xyz

organicbeauty.club

rehmazbeauty.com

goodgly.com

imtheonlyperson.systems

shbanjia199.com

mwfbd.com

halsonpipe.com

0927487.com

perfectpeachco.com

danielprok.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2148-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2148-17-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3116-22-0x0000000000360000-0x000000000038E000-memory.dmp	formbook
behavioral2/memory/3116-28-0x0000000000360000-0x000000000038E000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

Request for Quotation...pdf.exeRequest for Quotation...pdf.execmstp.exe

description	pid	process	target process
PID 5036 set thread context of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 2148 set thread context of 3572	2148	Request for Quotation...pdf.exe	Explorer.EXE
PID 3116 set thread context of 3572	3116	cmstp.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

Request for Quotation...pdf.execmstp.exe

pid	process
2148	Request for Quotation...pdf.exe
2148	Request for Quotation...pdf.exe
2148	Request for Quotation...pdf.exe
2148	Request for Quotation...pdf.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe
3116	cmstp.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

Request for Quotation...pdf.execmstp.exe

pid process

2148 Request for Quotation...pdf.exe
2148 Request for Quotation...pdf.exe
2148 Request for Quotation...pdf.exe
3116 cmstp.exe
3116 cmstp.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

Request for Quotation...pdf.execmstp.exe

description pid process

Token: SeDebugPrivilege 2148 Request for Quotation...pdf.exe
Token: SeDebugPrivilege 3116 cmstp.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3572 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	2148	Request for Quotation...pdf.exe
Token: SeDebugPrivilege	3116	cmstp.exe

pid	process
3572	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

Request for Quotation...pdf.exeExplorer.EXEcmstp.exe

description	pid	process	target process
PID 5036 wrote to memory of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 5036 wrote to memory of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 5036 wrote to memory of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 5036 wrote to memory of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 5036 wrote to memory of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 5036 wrote to memory of 2148	5036	Request for Quotation...pdf.exe	Request for Quotation...pdf.exe
PID 3572 wrote to memory of 3116	3572	Explorer.EXE	cmstp.exe
PID 3572 wrote to memory of 3116	3572	Explorer.EXE	cmstp.exe
PID 3572 wrote to memory of 3116	3572	Explorer.EXE	cmstp.exe
PID 3116 wrote to memory of 768	3116	cmstp.exe	cmd.exe
PID 3116 wrote to memory of 768	3116	cmstp.exe	cmd.exe
PID 3116 wrote to memory of 768	3116	cmstp.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3572

C:\Users\Admin\AppData\Local\Temp\Request for Quotation...pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation...pdf.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5036

C:\Users\Admin\AppData\Local\Temp\Request for Quotation...pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Request for Quotation...pdf.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2148

C:\Windows\SysWOW64\cmstp.exe
"C:\Windows\SysWOW64\cmstp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3116

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\Request for Quotation...pdf.exe"
3⤵
PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2148-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2148-17-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2148-18-0x00000000016B0000-0x00000000016C4000-memory.dmp

Filesize
80KB

Download
memory/2148-15-0x0000000001B90000-0x0000000001EDA000-memory.dmp

Filesize
3.3MB

Download
memory/3116-23-0x0000000002480000-0x00000000027CA000-memory.dmp

Filesize
3.3MB

Download
memory/3116-28-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/3116-25-0x00000000023B0000-0x0000000002443000-memory.dmp

Filesize
588KB

Download
memory/3116-22-0x0000000000360000-0x000000000038E000-memory.dmp

Filesize
184KB

Download
memory/3116-21-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/3116-20-0x0000000000430000-0x0000000000446000-memory.dmp

Filesize
88KB

Download
memory/3572-19-0x0000000008CA0000-0x0000000008E10000-memory.dmp

Filesize
1.4MB

Download
memory/3572-34-0x000000000A8B0000-0x000000000AA2A000-memory.dmp

Filesize
1.5MB

Download
memory/3572-31-0x000000000A8B0000-0x000000000AA2A000-memory.dmp

Filesize
1.5MB

Download
memory/3572-30-0x000000000A8B0000-0x000000000AA2A000-memory.dmp

Filesize
1.5MB

Download
memory/3572-26-0x0000000008CA0000-0x0000000008E10000-memory.dmp

Filesize
1.4MB

Download
memory/5036-10-0x0000000007620000-0x00000000076D0000-memory.dmp

Filesize
704KB

Download
memory/5036-1-0x0000000000EF0000-0x0000000000FD4000-memory.dmp

Filesize
912KB

Download
memory/5036-2-0x0000000006020000-0x00000000065C4000-memory.dmp

Filesize
5.6MB

Download
memory/5036-3-0x00000000059A0000-0x0000000005A32000-memory.dmp

Filesize
584KB

Download
memory/5036-14-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/5036-4-0x0000000005B10000-0x0000000005BAC000-memory.dmp

Filesize
624KB

Download
memory/5036-0-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/5036-11-0x0000000009CA0000-0x0000000009CE0000-memory.dmp

Filesize
256KB

Download
memory/5036-5-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/5036-9-0x0000000005D70000-0x0000000005D80000-memory.dmp

Filesize
64KB

Download
memory/5036-8-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/5036-7-0x0000000005CE0000-0x0000000005CF8000-memory.dmp

Filesize
96KB

Download
memory/5036-6-0x0000000005A70000-0x0000000005A7A000-memory.dmp

Filesize
40KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads