formbook | 51b6e66830ed3c735e61530f8d1d22773a0fe7ee4c3548e46785492378ffc93d

General

Target

MTM2019-2 ph12 RESG.exe
Size

1.6MB
MD5

ca6397f8234b085dbffcd71872910163
SHA1

aed7c39031d764e25c5758a3c276144cee36a131
SHA256

cd4b7cfc524a98551a90fccc7110e52fcce550152cf1ad1017fba87c68faab1d
SHA512

6221ddef49a594636f172335e01328d99d75aa2974c9935d10d244504e810682c61b63ea7db94425b89a1302947e597a50ec8444a607d72434e631532f90820a
SSDEEP

24576:+AHnh+eWsN3skA4RV1Hom2KXMmHa2uuuuuuuuuuuuuuuuuuuuuuuuuuuuuuyCSbY:ph+ZkldoPK8Yajl0

Score

10^/10

formbook bi rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

bi

Decoy

paulmeehanart.com

east-parker.com

brenttitcomb.com

joannaoon.com

pufrzgl.com

jconscomml.com

alyssafergusonart.com

yuperspective.com

sheseed.com

soicausieuchuan102.com

facexl.com

greenmountainpwc.com

perthbusinessclass.com

gerpling24.com

frbzf.com

netsycosmetics.co.uk

qiulen.com

connecticutstudent.loan

mclellansautomotive.net

kaifanghuashi.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1752-2-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1752-9-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

MTM2019-2 ph12 RESG.exeRegAsm.exeNAPSTAT.EXE

description	pid	process	target process
PID 2012 set thread context of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 1752 set thread context of 1208	1752	RegAsm.exe	Explorer.EXE
PID 2612 set thread context of 1208	2612	NAPSTAT.EXE	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

RegAsm.exeNAPSTAT.EXE

pid	process
1752	RegAsm.exe
1752	RegAsm.exe
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE
2612	NAPSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RegAsm.exeNAPSTAT.EXE

pid process

1752 RegAsm.exe
1752 RegAsm.exe
1752 RegAsm.exe
2612 NAPSTAT.EXE
2612 NAPSTAT.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

RegAsm.exeNAPSTAT.EXE

description pid process

Token: SeDebugPrivilege 1752 RegAsm.exe
Token: SeDebugPrivilege 2612 NAPSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1752	RegAsm.exe
Token: SeDebugPrivilege	2612	NAPSTAT.EXE

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

MTM2019-2 ph12 RESG.exeExplorer.EXENAPSTAT.EXE

description	pid	process	target process
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 2012 wrote to memory of 1752	2012	MTM2019-2 ph12 RESG.exe	RegAsm.exe
PID 1208 wrote to memory of 2612	1208	Explorer.EXE	NAPSTAT.EXE
PID 1208 wrote to memory of 2612	1208	Explorer.EXE	NAPSTAT.EXE
PID 1208 wrote to memory of 2612	1208	Explorer.EXE	NAPSTAT.EXE
PID 1208 wrote to memory of 2612	1208	Explorer.EXE	NAPSTAT.EXE
PID 2612 wrote to memory of 2532	2612	NAPSTAT.EXE	cmd.exe
PID 2612 wrote to memory of 2532	2612	NAPSTAT.EXE	cmd.exe
PID 2612 wrote to memory of 2532	2612	NAPSTAT.EXE	cmd.exe
PID 2612 wrote to memory of 2532	2612	NAPSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1208

C:\Users\Admin\AppData\Local\Temp\MTM2019-2 ph12 RESG.exe
"C:\Users\Admin\AppData\Local\Temp\MTM2019-2 ph12 RESG.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2012

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1752

C:\Windows\SysWOW64\NAPSTAT.EXE
"C:\Windows\SysWOW64\NAPSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2612

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"
3⤵
PID:2532

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1208-7-0x0000000003180000-0x0000000003280000-memory.dmp

Filesize
1024KB

Download
memory/1208-10-0x00000000050C0000-0x00000000051AA000-memory.dmp

Filesize
936KB

Download
memory/1208-15-0x00000000050C0000-0x00000000051AA000-memory.dmp

Filesize
936KB

Download
memory/1752-2-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1752-1-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-8-0x0000000000360000-0x0000000000374000-memory.dmp

Filesize
80KB

Download
memory/1752-9-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1752-6-0x0000000002610000-0x0000000002913000-memory.dmp

Filesize
3.0MB

Download
memory/2012-0-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2612-11-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download
memory/2612-12-0x0000000000330000-0x0000000000376000-memory.dmp

Filesize
280KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads