formbook | 72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702

General

Target

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
Size

1.0MB
MD5

339ae69e221743fd181a78cad3fe7e60
SHA1

ea6e6b0f7c267995084d31467383ef22de89ba00
SHA256

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702
SHA512

6a96ddfaef5d03f08be2ba1c20821201cc016d76f2a9fffec9ddaa7d285b01ae850aeb8f42c72afe997c0afe21d1fbb6c0c486a7b50b19b6316205edab91a18a
SSDEEP

24576:RAHnh+eWsN3skA4RV1Hom2KXMmHatecJSNefwmnfGLGKRZjb35:oh+ZkldoPK8Yate6SIfBffojd

Score

10^/10

formbook as02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

as02

Decoy

qwin777.com

robinhoods.live

h3jh-dal.pics

braindeadcopywriting.com

kktcbet1000.com

mpo0463.cfd

raboteshoes.com

ab1718.com

lowcrusiers.com

gregcopelandmusic.com

dkfndch.store

firstclassuni.com

00ewu1ub.com

shunweichemical.com

sugarits.com

marqify.com

mistmajik.com

trezip.online

tinytables.xyz

suestergocoaching.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/668-11-0x0000000000450000-0x000000000047F000-memory.dmp	formbook
behavioral2/memory/668-15-0x0000000000450000-0x000000000047F000-memory.dmp	formbook
behavioral2/memory/1872-21-0x0000000001230000-0x000000000125F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exesvchost.exerundll32.exe

description	pid	process	target process
PID 4456 set thread context of 668	4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe	svchost.exe
PID 668 set thread context of 3440	668	svchost.exe	Explorer.EXE
PID 1872 set thread context of 3440	1872	rundll32.exe	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2868 4456 WerFault.exe 72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe

pid	pid_target	process	target process
2868	4456	WerFault.exe	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

svchost.exerundll32.exe

pid	process
668	svchost.exe
668	svchost.exe
668	svchost.exe
668	svchost.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe
1872	rundll32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exesvchost.exerundll32.exe

pid	process
4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
668	svchost.exe
668	svchost.exe
668	svchost.exe
1872	rundll32.exe
1872	rundll32.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeExplorer.EXErundll32.exe

description	pid	process
Token: SeDebugPrivilege	668	svchost.exe
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeShutdownPrivilege	3440	Explorer.EXE
Token: SeCreatePagefilePrivilege	3440	Explorer.EXE
Token: SeDebugPrivilege	1872	rundll32.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe

pid process

4456 72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
4456 72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe

pid process

4456 72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
4456 72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3440 Explorer.EXE

pid	process
3440	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 4456 wrote to memory of 668	4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe	svchost.exe
PID 4456 wrote to memory of 668	4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe	svchost.exe
PID 4456 wrote to memory of 668	4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe	svchost.exe
PID 4456 wrote to memory of 668	4456	72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe	svchost.exe
PID 3440 wrote to memory of 1872	3440	Explorer.EXE	rundll32.exe
PID 3440 wrote to memory of 1872	3440	Explorer.EXE	rundll32.exe
PID 3440 wrote to memory of 1872	3440	Explorer.EXE	rundll32.exe
PID 1872 wrote to memory of 2580	1872	rundll32.exe	cmd.exe
PID 1872 wrote to memory of 2580	1872	rundll32.exe	cmd.exe
PID 1872 wrote to memory of 2580	1872	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4456

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\72386d293874079ed88a5f8d2ba12ba0c73d9014a1cdc8c46a4798e638ff7702_NeikiAnalytics.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4456 -s 704
3⤵
- Program crash
PID:2868

C:\Windows\SysWOW64\autochk.exe
"C:\Windows\SysWOW64\autochk.exe"
2⤵
PID:1508

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1872

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4456 -ip 4456
1⤵
PID:2696

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/668-16-0x00000000005D0000-0x00000000005E5000-memory.dmp

Filesize
84KB

Download
memory/668-11-0x0000000000450000-0x000000000047F000-memory.dmp

Filesize
188KB

Download
memory/668-14-0x0000000001100000-0x000000000144A000-memory.dmp

Filesize
3.3MB

Download
memory/668-15-0x0000000000450000-0x000000000047F000-memory.dmp

Filesize
188KB

Download
memory/1872-18-0x0000000000E90000-0x0000000000EA4000-memory.dmp

Filesize
80KB

Download
memory/1872-20-0x0000000000E90000-0x0000000000EA4000-memory.dmp

Filesize
80KB

Download
memory/1872-21-0x0000000001230000-0x000000000125F000-memory.dmp

Filesize
188KB

Download
memory/3440-17-0x00000000083B0000-0x00000000084AF000-memory.dmp

Filesize
1020KB

Download
memory/3440-23-0x00000000083B0000-0x00000000084AF000-memory.dmp

Filesize
1020KB

Download
memory/3440-26-0x0000000008B20000-0x0000000008C69000-memory.dmp

Filesize
1.3MB

Download
memory/3440-27-0x0000000008B20000-0x0000000008C69000-memory.dmp

Filesize
1.3MB

Download
memory/3440-30-0x0000000008B20000-0x0000000008C69000-memory.dmp

Filesize
1.3MB

Download
memory/4456-10-0x00000000010D0000-0x00000000010D4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads