formbook | 93b04d266b5fddd03311c3d22a2a37ab451a3a0c6e1a28ebc2764ee5691e3291

General

Target

yiLe926pJsBgixu.exe
Size

648KB
MD5

b5c6dfe319520065564fa342e1350b9e
SHA1

949eecf1075c49cfbfd6bb843dcbf0436660aac2
SHA256

93b04d266b5fddd03311c3d22a2a37ab451a3a0c6e1a28ebc2764ee5691e3291
SHA512

268f3d739f7397e384a3f5e462ba56f1ee9b8208e0041c52f19eccf136b32bb80f6cfb2dd1a1f5612ad42caffa55fbe24dc1787fdb4cdfcd29dfca38b01bbadb
SSDEEP

12288:CPOc0ArVAW0Ez3WZY6mCYNkMx9Dsa7Qq/be:fihvF3WZYUYSMDsN

Score

10^/10

formbook cr12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cr12

Decoy

nff1291.com

satyainfra.com

hechiceradeamores.com

jfgminimalist.com

qut68q.com

pedandmore.com

sugardefender24-usa.us

somalse.com

lotusluxecandle.com

certificadobassetpro.com

veryaroma.com

thehistoryofindia.in

33155.cc

terastudy.net

84031.vip

heilsambegegnen.com

horizon-rg.info

junongpei.website

winstons.club

henslotalt.us

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1508-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1508-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2684-23-0x00000000000C0000-0x00000000000EF000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2864 cmd.exe

pid	process
2864	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

yiLe926pJsBgixu.exeyiLe926pJsBgixu.exesystray.exe

description	pid	process	target process
PID 2028 set thread context of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 1508 set thread context of 1204	1508	yiLe926pJsBgixu.exe	Explorer.EXE
PID 2684 set thread context of 1204	2684	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

yiLe926pJsBgixu.exesystray.exe

pid	process
1508	yiLe926pJsBgixu.exe
1508	yiLe926pJsBgixu.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe
2684	systray.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

yiLe926pJsBgixu.exesystray.exe

pid process

1508 yiLe926pJsBgixu.exe
1508 yiLe926pJsBgixu.exe
1508 yiLe926pJsBgixu.exe
2684 systray.exe
2684 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

yiLe926pJsBgixu.exesystray.exe

description pid process

Token: SeDebugPrivilege 1508 yiLe926pJsBgixu.exe
Token: SeDebugPrivilege 2684 systray.exe

description	pid	process
Token: SeDebugPrivilege	1508	yiLe926pJsBgixu.exe
Token: SeDebugPrivilege	2684	systray.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

yiLe926pJsBgixu.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 2028 wrote to memory of 1508	2028	yiLe926pJsBgixu.exe	yiLe926pJsBgixu.exe
PID 1204 wrote to memory of 2684	1204	Explorer.EXE	systray.exe
PID 1204 wrote to memory of 2684	1204	Explorer.EXE	systray.exe
PID 1204 wrote to memory of 2684	1204	Explorer.EXE	systray.exe
PID 1204 wrote to memory of 2684	1204	Explorer.EXE	systray.exe
PID 2684 wrote to memory of 2864	2684	systray.exe	cmd.exe
PID 2684 wrote to memory of 2864	2684	systray.exe	cmd.exe
PID 2684 wrote to memory of 2864	2684	systray.exe	cmd.exe
PID 2684 wrote to memory of 2864	2684	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\yiLe926pJsBgixu.exe
  "C:\Users\Admin\AppData\Local\Temp\yiLe926pJsBgixu.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Users\Admin\AppData\Local\Temp\yiLe926pJsBgixu.exe
    "C:\Users\Admin\AppData\Local\Temp\yiLe926pJsBgixu.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1508
- C:\Windows\SysWOW64\systray.exe
  "C:\Windows\SysWOW64\systray.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\yiLe926pJsBgixu.exe"
    3⤵
    - Deletes itself
    PID:2864

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-25-0x0000000004D40000-0x0000000004E00000-memory.dmp

Filesize
768KB

Download
memory/1204-19-0x0000000004D40000-0x0000000004E00000-memory.dmp

Filesize
768KB

Download
memory/1204-16-0x0000000003B50000-0x0000000003C50000-memory.dmp

Filesize
1024KB

Download
memory/1508-14-0x0000000000870000-0x0000000000B73000-memory.dmp

Filesize
3.0MB

Download
memory/1508-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-18-0x0000000000170000-0x0000000000184000-memory.dmp

Filesize
80KB

Download
memory/1508-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1508-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2028-5-0x0000000005160000-0x00000000051D6000-memory.dmp

Filesize
472KB

Download
memory/2028-13-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-0-0x00000000745EE000-0x00000000745EF000-memory.dmp

Filesize
4KB

Download
memory/2028-4-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/2028-3-0x00000000003E0000-0x00000000003F8000-memory.dmp

Filesize
96KB

Download
memory/2028-2-0x00000000745E0000-0x0000000074CCE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-1-0x0000000001120000-0x00000000011C6000-memory.dmp

Filesize
664KB

Download
memory/2684-20-0x0000000000ED0000-0x0000000000ED5000-memory.dmp

Filesize
20KB

Download
memory/2684-22-0x0000000000ED0000-0x0000000000ED5000-memory.dmp

Filesize
20KB

Download
memory/2684-23-0x00000000000C0000-0x00000000000EF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads