formbook | 2ee5255934af2f37c295770b441baf6f12e4483e7eb5281df70a4a0164521c70

General

Target

TT-SWIFT-Schindler.exe
Size

2.4MB
MD5

c2105f208d13b645b762e3c592969bb8
SHA1

9d1ee2c7c7f9fdf744f0bca64e26693aceaeabe9
SHA256

2ee5255934af2f37c295770b441baf6f12e4483e7eb5281df70a4a0164521c70
SHA512

23a1427df886d8f5b84b7ae6012905a9e3215785b95f59e0535fa003b2eef79594bcd8653c1bf7056ec1ff92b9cfded8a44055807b3d63f34046d531dcd5b64f
SSDEEP

12288:C42m6rLTvbLZlRxTeOw7sR9yZRq+JtpHc0rC0V/77EfRGW6p0GCE9Kg:6m6rLzbtRTeF4crC0Vz7EfIW6p024g

Score

10^/10

formbook m10e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m10e

Decoy

yallanal3b.store

centrumturkiye.net

ibl303.com

cobuyseattle.com

verdictvaultlegal.com

qak8b.live

www63396aa.com

libertydiscountcleaners.com

65a3.com

korabli.site

midsouthinssolutions.com

polakampus.site

pinadaycare.com

bhuzsvjwjyowlqe.xyz

www9143685.com

cbhconsulting.online

jesusparticles.info

tryih.com

imevqszk.xyz

gdelmt597c.top

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3172-4-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3172-7-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3172-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2816-17-0x00000000012C0000-0x00000000012EF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

TT-SWIFT-Schindler.execsc.execolorcpl.exe

description	pid	process	target process
PID 2444 set thread context of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 3172 set thread context of 3532	3172	csc.exe	Explorer.EXE
PID 3172 set thread context of 3532	3172	csc.exe	Explorer.EXE
PID 2816 set thread context of 3532	2816	colorcpl.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

csc.execolorcpl.exe

pid	process
3172	csc.exe
3172	csc.exe
3172	csc.exe
3172	csc.exe
3172	csc.exe
3172	csc.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe
2816	colorcpl.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

csc.execolorcpl.exe

pid process

3172 csc.exe
3172 csc.exe
3172 csc.exe
3172 csc.exe
2816 colorcpl.exe
2816 colorcpl.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

csc.exeExplorer.EXEcolorcpl.exe

description pid process

Token: SeDebugPrivilege 3172 csc.exe
Token: SeShutdownPrivilege 3532 Explorer.EXE
Token: SeCreatePagefilePrivilege 3532 Explorer.EXE
Token: SeDebugPrivilege 2816 colorcpl.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3532 Explorer.EXE
3532 Explorer.EXE
3532 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3532 Explorer.EXE
3532 Explorer.EXE
3532 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3532 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	3172	csc.exe
Token: SeShutdownPrivilege	3532	Explorer.EXE
Token: SeCreatePagefilePrivilege	3532	Explorer.EXE
Token: SeDebugPrivilege	2816	colorcpl.exe

pid	process
3532	Explorer.EXE
3532	Explorer.EXE
3532	Explorer.EXE

pid	process
3532	Explorer.EXE
3532	Explorer.EXE
3532	Explorer.EXE

pid	process
3532	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

TT-SWIFT-Schindler.execsc.execolorcpl.exe

description	pid	process	target process
PID 2444 wrote to memory of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 3172	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 4704	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 4704	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 2444 wrote to memory of 4704	2444	TT-SWIFT-Schindler.exe	csc.exe
PID 3172 wrote to memory of 2816	3172	csc.exe	colorcpl.exe
PID 3172 wrote to memory of 2816	3172	csc.exe	colorcpl.exe
PID 3172 wrote to memory of 2816	3172	csc.exe	colorcpl.exe
PID 2816 wrote to memory of 2828	2816	colorcpl.exe	cmd.exe
PID 2816 wrote to memory of 2828	2816	colorcpl.exe	cmd.exe
PID 2816 wrote to memory of 2828	2816	colorcpl.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
PID:3532

C:\Users\Admin\AppData\Local\Temp\TT-SWIFT-Schindler.exe
"C:\Users\Admin\AppData\Local\Temp\TT-SWIFT-Schindler.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3172

C:\Windows\SysWOW64\colorcpl.exe
"C:\Windows\SysWOW64\colorcpl.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
5⤵
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
PID:4704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2444-10-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/2444-1-0x000001A476AD0000-0x000001A476ADC000-memory.dmp

Filesize
48KB

Download
memory/2444-2-0x00007FFEE9C40000-0x00007FFEEA701000-memory.dmp

Filesize
10.8MB

Download
memory/2444-3-0x000001A4792A0000-0x000001A479326000-memory.dmp

Filesize
536KB

Download
memory/2444-0-0x00007FFEE9C43000-0x00007FFEE9C45000-memory.dmp

Filesize
8KB

Download
memory/2816-17-0x00000000012C0000-0x00000000012EF000-memory.dmp

Filesize
188KB

Download
memory/2816-16-0x0000000000830000-0x0000000000849000-memory.dmp

Filesize
100KB

Download
memory/2816-15-0x0000000000830000-0x0000000000849000-memory.dmp

Filesize
100KB

Download
memory/3172-5-0x0000000001980000-0x0000000001CCA000-memory.dmp

Filesize
3.3MB

Download
memory/3172-13-0x0000000001950000-0x0000000001964000-memory.dmp

Filesize
80KB

Download
memory/3172-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3172-8-0x00000000014D0000-0x00000000014E4000-memory.dmp

Filesize
80KB

Download
memory/3172-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3532-9-0x00000000070F0000-0x00000000071F3000-memory.dmp

Filesize
1.0MB

Download
memory/3532-14-0x00000000085D0000-0x000000000871A000-memory.dmp

Filesize
1.3MB

Download
memory/3532-19-0x00000000085D0000-0x000000000871A000-memory.dmp

Filesize
1.3MB

Download
memory/3532-21-0x0000000008020000-0x0000000008117000-memory.dmp

Filesize
988KB

Download
memory/3532-22-0x0000000008020000-0x0000000008117000-memory.dmp

Filesize
988KB

Download
memory/3532-25-0x0000000008020000-0x0000000008117000-memory.dmp

Filesize
988KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads