formbook | 4acc0dbaeb63dfaa4815deac04d75aeb8e9741c6fa66a5b55b460a4b3cf2b9b1

General

Target

IZPnmcCu5EZWa98.exe
Size

594KB
MD5

a5a66a419e31b8a69cf1bd612ec6ffde
SHA1

a8e3a66fff21e337ada34998a717aaad0d323fc0
SHA256

e004e6798d1e44ac7f24a273eeb129c8dfe9e4522baeda0e6756ec5319b90af1
SHA512

9b797f22e6e1a030255adf506514ae3567fafc7853b5aa116a44bed0e63a62589cfe500cc84b98a62f10132fa14d2137da5c1622320433df71344bdad24faf93
SSDEEP

12288:+FIsPALdYGwUQkNVgnkLclbIDCTBr4TXzwgOAju:YIKtGEkNynD5IOTexTj

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1944-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1944-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1692-21-0x0000000000640000-0x000000000066F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

IZPnmcCu5EZWa98.exeIZPnmcCu5EZWa98.exeNETSTAT.EXE

description	pid	process	target process
PID 1696 set thread context of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1944 set thread context of 3408	1944	IZPnmcCu5EZWa98.exe	Explorer.EXE
PID 1692 set thread context of 3408	1692	NETSTAT.EXE	Explorer.EXE

Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

NETSTAT.EXE

pid process

1692 NETSTAT.EXE

pid	process
1692	NETSTAT.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

IZPnmcCu5EZWa98.exeIZPnmcCu5EZWa98.exeNETSTAT.EXE

pid	process
1696	IZPnmcCu5EZWa98.exe
1696	IZPnmcCu5EZWa98.exe
1944	IZPnmcCu5EZWa98.exe
1944	IZPnmcCu5EZWa98.exe
1944	IZPnmcCu5EZWa98.exe
1944	IZPnmcCu5EZWa98.exe
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE
1692	NETSTAT.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

IZPnmcCu5EZWa98.exeNETSTAT.EXE

pid process

1944 IZPnmcCu5EZWa98.exe
1944 IZPnmcCu5EZWa98.exe
1944 IZPnmcCu5EZWa98.exe
1692 NETSTAT.EXE
1692 NETSTAT.EXE
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

IZPnmcCu5EZWa98.exeIZPnmcCu5EZWa98.exeNETSTAT.EXE

description pid process

Token: SeDebugPrivilege 1696 IZPnmcCu5EZWa98.exe
Token: SeDebugPrivilege 1944 IZPnmcCu5EZWa98.exe
Token: SeDebugPrivilege 1692 NETSTAT.EXE
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3408 Explorer.EXE
3408 Explorer.EXE
3408 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3408 Explorer.EXE
3408 Explorer.EXE
3408 Explorer.EXE

pid	process
1944	IZPnmcCu5EZWa98.exe
1944	IZPnmcCu5EZWa98.exe
1944	IZPnmcCu5EZWa98.exe
1692	NETSTAT.EXE
1692	NETSTAT.EXE

description	pid	process
Token: SeDebugPrivilege	1696	IZPnmcCu5EZWa98.exe
Token: SeDebugPrivilege	1944	IZPnmcCu5EZWa98.exe
Token: SeDebugPrivilege	1692	NETSTAT.EXE

pid	process
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE

pid	process
3408	Explorer.EXE
3408	Explorer.EXE
3408	Explorer.EXE

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

IZPnmcCu5EZWa98.exeExplorer.EXENETSTAT.EXE

description	pid	process	target process
PID 1696 wrote to memory of 1940	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1940	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1940	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 1696 wrote to memory of 1944	1696	IZPnmcCu5EZWa98.exe	IZPnmcCu5EZWa98.exe
PID 3408 wrote to memory of 1692	3408	Explorer.EXE	NETSTAT.EXE
PID 3408 wrote to memory of 1692	3408	Explorer.EXE	NETSTAT.EXE
PID 3408 wrote to memory of 1692	3408	Explorer.EXE	NETSTAT.EXE
PID 1692 wrote to memory of 2656	1692	NETSTAT.EXE	cmd.exe
PID 1692 wrote to memory of 2656	1692	NETSTAT.EXE	cmd.exe
PID 1692 wrote to memory of 2656	1692	NETSTAT.EXE	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3408

C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe
"C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1696

C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe
"C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe"
3⤵
PID:1940

C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe
"C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1944

C:\Windows\SysWOW64\NETSTAT.EXE
"C:\Windows\SysWOW64\NETSTAT.EXE"
2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1692

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\IZPnmcCu5EZWa98.exe"
3⤵
PID:2656

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-19-0x0000000000050000-0x000000000005B000-memory.dmp

Filesize
44KB

Download
memory/1692-21-0x0000000000640000-0x000000000066F000-memory.dmp

Filesize
188KB

Download
memory/1692-20-0x0000000000050000-0x000000000005B000-memory.dmp

Filesize
44KB

Download
memory/1696-6-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/1696-1-0x0000000000D10000-0x0000000000DAA000-memory.dmp

Filesize
616KB

Download
memory/1696-5-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1696-0-0x0000000074E3E000-0x0000000074E3F000-memory.dmp

Filesize
4KB

Download
memory/1696-7-0x00000000059D0000-0x00000000059E2000-memory.dmp

Filesize
72KB

Download
memory/1696-8-0x0000000008150000-0x0000000008158000-memory.dmp

Filesize
32KB

Download
memory/1696-9-0x0000000008160000-0x000000000816C000-memory.dmp

Filesize
48KB

Download
memory/1696-10-0x00000000081F0000-0x0000000008266000-memory.dmp

Filesize
472KB

Download
memory/1696-4-0x0000000005850000-0x000000000585A000-memory.dmp

Filesize
40KB

Download
memory/1696-13-0x0000000074E30000-0x00000000755E0000-memory.dmp

Filesize
7.7MB

Download
memory/1696-2-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/1696-3-0x00000000057A0000-0x0000000005832000-memory.dmp

Filesize
584KB

Download
memory/1944-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-17-0x0000000000B80000-0x0000000000B95000-memory.dmp

Filesize
84KB

Download
memory/1944-14-0x0000000001000000-0x000000000134A000-memory.dmp

Filesize
3.3MB

Download
memory/1944-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3408-18-0x00000000080C0000-0x000000000825F000-memory.dmp

Filesize
1.6MB

Download
memory/3408-23-0x00000000080C0000-0x000000000825F000-memory.dmp

Filesize
1.6MB

Download
memory/3408-28-0x00000000086C0000-0x000000000879F000-memory.dmp

Filesize
892KB

Download
memory/3408-30-0x00000000086C0000-0x000000000879F000-memory.dmp

Filesize
892KB

Download
memory/3408-33-0x00000000086C0000-0x000000000879F000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads