formbook | 294d980ee33b3ee783ef73efa634d8f910ac910f3a1d2b685daea4151dc7d3f2

General

Target

New request for quotation9867875‮fdp.exe
Size

450KB
MD5

8bdeb6070b54bcbb362faea15aaf8f7f
SHA1

7708c09b98622341b13ffcb99fd61778f51c16fc
SHA256

63b52bedfe18fe9a059dafcf21ed7d2bd58b00e8b4078c98e165c36e3d347b60
SHA512

1033d22a99be996d10eea1affa1beaf067eb29c7235ae7080e86f8da71b0ee5252b4cdf45e0553897cdeae49154c113cf7ac8ed02bc2a38de8df1b1d042d0c23
SSDEEP

6144:9aUDG3Kp1O6VEJD6Lpzu5VGZ1xbt3oN/EqiOq762DOHXRSE8:9aUDd26VEt6pu5GbtwEqXq7pDOHw

Score

10^/10

formbook m1d agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m1d

Decoy

ecodezine.com

petshoot.com

finamoreservices.com

blcbbs.com

isarlog.com

vitall-holding.com

deeperootscbd.com

elizabethavan.com

xn--hizmetasistanm-igc.com

healing-with-touch.com

zebfx.com

optibm.com

mybrandsellsyourland.com

estebanell.com

average-gaming.net

beproudof.site

werrei.com

97mix.com

pastaneli.com

topryan.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2040-1-0x0000000000A80000-0x0000000000AF6000-memory.dmp	formbook
behavioral1/memory/2644-14-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral1/memory/2644-19-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2684 cmd.exe

pid	process
2684	cmd.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral1/memory/2040-2-0x00000000002F0000-0x0000000000304000-memory.dmp	agile_net

Suspicious use of SetThreadContext 3 IoCs

Processes:

New request for quotation9867875‮fdp.exeNew request for quotation9867875‮fdp.exerundll32.exe

description	pid	process	target process
PID 2040 set thread context of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2644 set thread context of 1152	2644	New request for quotation9867875‮fdp.exe	Explorer.EXE
PID 2408 set thread context of 1152	2408	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 29 IoCs

Processes:

New request for quotation9867875‮fdp.exeNew request for quotation9867875‮fdp.exerundll32.exe

pid	process
2040	New request for quotation9867875‮fdp.exe
2040	New request for quotation9867875‮fdp.exe
2040	New request for quotation9867875‮fdp.exe
2644	New request for quotation9867875‮fdp.exe
2644	New request for quotation9867875‮fdp.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe
2408	rundll32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

New request for quotation9867875‮fdp.exerundll32.exe

pid	process
2644	New request for quotation9867875‮fdp.exe
2644	New request for quotation9867875‮fdp.exe
2644	New request for quotation9867875‮fdp.exe
2408	rundll32.exe
2408	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

New request for quotation9867875‮fdp.exeNew request for quotation9867875‮fdp.exerundll32.exe

description	pid	process
Token: SeDebugPrivilege	2040	New request for quotation9867875‮fdp.exe
Token: SeDebugPrivilege	2644	New request for quotation9867875‮fdp.exe
Token: SeDebugPrivilege	2408	rundll32.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

New request for quotation9867875‮fdp.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 2040 wrote to memory of 2644	2040	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 1152 wrote to memory of 2408	1152	Explorer.EXE	rundll32.exe
PID 2408 wrote to memory of 2684	2408	rundll32.exe	cmd.exe
PID 2408 wrote to memory of 2684	2408	rundll32.exe	cmd.exe
PID 2408 wrote to memory of 2684	2408	rundll32.exe	cmd.exe
PID 2408 wrote to memory of 2684	2408	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:1152

C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040

C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2644

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe"
3⤵
- Deletes itself
PID:2684

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1152-20-0x0000000003BD0000-0x0000000003CD0000-memory.dmp

Filesize
1024KB

Download
memory/1152-28-0x0000000006510000-0x00000000066B4000-memory.dmp

Filesize
1.6MB

Download
memory/1152-21-0x0000000006510000-0x00000000066B4000-memory.dmp

Filesize
1.6MB

Download
memory/2040-13-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-15-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-5-0x0000000074920000-0x000000007500E000-memory.dmp

Filesize
6.9MB

Download
memory/2040-1-0x0000000000A80000-0x0000000000AF6000-memory.dmp

Filesize
472KB

Download
memory/2040-2-0x00000000002F0000-0x0000000000304000-memory.dmp

Filesize
80KB

Download
memory/2040-10-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2040-3-0x0000000000310000-0x0000000000318000-memory.dmp

Filesize
32KB

Download
memory/2040-0-0x000000007492E000-0x000000007492F000-memory.dmp

Filesize
4KB

Download
memory/2040-4-0x0000000000340000-0x0000000000348000-memory.dmp

Filesize
32KB

Download
memory/2408-23-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2408-22-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2408-25-0x0000000000630000-0x000000000063E000-memory.dmp

Filesize
56KB

Download
memory/2644-14-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2644-17-0x0000000000B00000-0x0000000000E03000-memory.dmp

Filesize
3.0MB

Download
memory/2644-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-19-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2644-18-0x0000000000210000-0x0000000000224000-memory.dmp

Filesize
80KB

Download
memory/2644-9-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2644-6-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads