formbook | a507002ff2fe5ce654247c91b451a916ca0de14075f44a04ba032ad985142e20

General

Target

ARIVAL NOTICE.exe
Size

1.0MB
MD5

ba4626698cabac08fd9d2440f730e80c
SHA1

577f8e973cb926b58dffa2ec5a0ae1f9e451f128
SHA256

d6f3187ea8a4c0cb9e263a665487060b5b14caf184a5343b2ed928b67d16a264
SHA512

a15b63b4d018276272dd4e2667b79a859df83df8c96ea60b1bf9471e0138b40f7f4ce6c5d63424225fd5fbe1e6c55a9afd75e084b813967db7f49c9558465eda
SSDEEP

24576:SAHnh+eWsN3skA4RV1Hom2KXMmHao75RAQkLXWB3ryAv5:Vh+ZkldoPK8YaoX6jQ3ryQ

Score

10^/10

formbook as02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

as02

Decoy

qwin777.com

robinhoods.live

h3jh-dal.pics

braindeadcopywriting.com

kktcbet1000.com

mpo0463.cfd

raboteshoes.com

ab1718.com

lowcrusiers.com

gregcopelandmusic.com

dkfndch.store

firstclassuni.com

00ewu1ub.com

shunweichemical.com

sugarits.com

marqify.com

mistmajik.com

trezip.online

tinytables.xyz

suestergocoaching.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1636-11-0x0000000000600000-0x000000000062F000-memory.dmp	formbook
behavioral2/memory/1636-16-0x0000000000600000-0x000000000062F000-memory.dmp	formbook
behavioral2/memory/4308-22-0x0000000000990000-0x00000000009BF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

ARIVAL NOTICE.exesvchost.exeWWAHost.exe

description	pid	process	target process
PID 1772 set thread context of 1636	1772	ARIVAL NOTICE.exe	svchost.exe
PID 1636 set thread context of 3596	1636	svchost.exe	Explorer.EXE
PID 4308 set thread context of 3596	4308	WWAHost.exe	Explorer.EXE

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2292 1772 WerFault.exe ARIVAL NOTICE.exe

pid	pid_target	process	target process
2292	1772	WerFault.exe	ARIVAL NOTICE.exe

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

svchost.exeWWAHost.exe

pid	process
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe
4308	WWAHost.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

ARIVAL NOTICE.exesvchost.exeWWAHost.exe

pid process

1772 ARIVAL NOTICE.exe
1772 ARIVAL NOTICE.exe
1636 svchost.exe
1636 svchost.exe
1636 svchost.exe
4308 WWAHost.exe
4308 WWAHost.exe

pid	process
1772	ARIVAL NOTICE.exe
1772	ARIVAL NOTICE.exe
1636	svchost.exe
1636	svchost.exe
1636	svchost.exe
4308	WWAHost.exe
4308	WWAHost.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

svchost.exeExplorer.EXEWWAHost.exe

description	pid	process
Token: SeDebugPrivilege	1636	svchost.exe
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeShutdownPrivilege	3596	Explorer.EXE
Token: SeCreatePagefilePrivilege	3596	Explorer.EXE
Token: SeDebugPrivilege	4308	WWAHost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

ARIVAL NOTICE.exeExplorer.EXE

pid process

1772 ARIVAL NOTICE.exe
1772 ARIVAL NOTICE.exe
3596 Explorer.EXE
3596 Explorer.EXE
3596 Explorer.EXE
Suspicious use of SendNotifyMessage 5 IoCs

Processes:

ARIVAL NOTICE.exeExplorer.EXE

pid process

1772 ARIVAL NOTICE.exe
1772 ARIVAL NOTICE.exe
3596 Explorer.EXE
3596 Explorer.EXE
3596 Explorer.EXE

pid	process
1772	ARIVAL NOTICE.exe
1772	ARIVAL NOTICE.exe
3596	Explorer.EXE
3596	Explorer.EXE
3596	Explorer.EXE

pid	process
1772	ARIVAL NOTICE.exe
1772	ARIVAL NOTICE.exe
3596	Explorer.EXE
3596	Explorer.EXE
3596	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

ARIVAL NOTICE.exeExplorer.EXEWWAHost.exe

description	pid	process	target process
PID 1772 wrote to memory of 1636	1772	ARIVAL NOTICE.exe	svchost.exe
PID 1772 wrote to memory of 1636	1772	ARIVAL NOTICE.exe	svchost.exe
PID 1772 wrote to memory of 1636	1772	ARIVAL NOTICE.exe	svchost.exe
PID 1772 wrote to memory of 1636	1772	ARIVAL NOTICE.exe	svchost.exe
PID 3596 wrote to memory of 4308	3596	Explorer.EXE	WWAHost.exe
PID 3596 wrote to memory of 4308	3596	Explorer.EXE	WWAHost.exe
PID 3596 wrote to memory of 4308	3596	Explorer.EXE	WWAHost.exe
PID 4308 wrote to memory of 1372	4308	WWAHost.exe	cmd.exe
PID 4308 wrote to memory of 1372	4308	WWAHost.exe	cmd.exe
PID 4308 wrote to memory of 1372	4308	WWAHost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3596

C:\Users\Admin\AppData\Local\Temp\ARIVAL NOTICE.exe
"C:\Users\Admin\AppData\Local\Temp\ARIVAL NOTICE.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1772

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\ARIVAL NOTICE.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1772 -s 696
3⤵
- Program crash
PID:2292

C:\Windows\SysWOW64\WWAHost.exe
"C:\Windows\SysWOW64\WWAHost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4308

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:1372

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1772 -ip 1772
1⤵
PID:2680

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1636-11-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/1636-16-0x0000000000600000-0x000000000062F000-memory.dmp

Filesize
188KB

Download
memory/1636-15-0x0000000000F20000-0x0000000000F35000-memory.dmp

Filesize
84KB

Download
memory/1636-14-0x0000000001200000-0x000000000154A000-memory.dmp

Filesize
3.3MB

Download
memory/1772-10-0x0000000000C70000-0x0000000000C74000-memory.dmp

Filesize
16KB

Download
memory/3596-24-0x00000000086C0000-0x000000000878C000-memory.dmp

Filesize
816KB

Download
memory/3596-17-0x00000000086C0000-0x000000000878C000-memory.dmp

Filesize
816KB

Download
memory/3596-27-0x0000000008E40000-0x0000000008F80000-memory.dmp

Filesize
1.2MB

Download
memory/3596-28-0x0000000008E40000-0x0000000008F80000-memory.dmp

Filesize
1.2MB

Download
memory/3596-31-0x0000000008E40000-0x0000000008F80000-memory.dmp

Filesize
1.2MB

Download
memory/4308-18-0x00000000001C0000-0x000000000029C000-memory.dmp

Filesize
880KB

Download
memory/4308-21-0x00000000001C0000-0x000000000029C000-memory.dmp

Filesize
880KB

Download
memory/4308-22-0x0000000000990000-0x00000000009BF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads