formbook | 4c3b65dd4922985d090d2c12598837727e199627e48fd19b071472382b240284

General

Target

RFQ-ref_05921538.exe
Size

918KB
MD5

fb14abc040c25c13849b4c44308d962d
SHA1

60f55621f11075f2e3af4ae41baf2794a58d6a66
SHA256

4c3b65dd4922985d090d2c12598837727e199627e48fd19b071472382b240284
SHA512

c2fc0aaee60cafcea97f0158cc013ddff8dc097215375a94ddc633ff2abe14da36c54cfb1e9865bf89984e532c7951b19e1cf776d002c19b49698a5f55cae81b
SSDEEP

12288:90mTFhv5VQZ9WsgF91raePmsr55MGBoIaEXRavD7R5GsYG2ucI0zei:90m/x4xgF9hmDGFGeGVKf

Score

10^/10

formbook na10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

na10

Decoy

tetheus.com

ventlikeyoumeanit.com

tintbliss.com

rinabet357.com

sapphireboutiqueusa.com

abc8bet6.com

xzcn3i7jb13cqei.buzz

pinktravelsnagpur.com

bt365038.com

rtpbossujang303.shop

osthirmaker.com

thelonelyteacup.com

rlc2019.com

couverture-charpente.com

productivagc.com

defendercarcare.com

abcentixdigital.com

petco.ltd

oypivh.top

micro.guru

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4208-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4208-17-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4464-24-0x00000000007F0000-0x000000000081F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

RFQ-ref_05921538.exeRFQ-ref_05921538.exemstsc.exe

description	pid	process	target process
PID 556 set thread context of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 4208 set thread context of 3296	4208	RFQ-ref_05921538.exe	Explorer.EXE
PID 4464 set thread context of 3296	4464	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 43 IoCs

Processes:

RFQ-ref_05921538.exeRFQ-ref_05921538.exemstsc.exe

pid	process
556	RFQ-ref_05921538.exe
556	RFQ-ref_05921538.exe
556	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe
4464	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

RFQ-ref_05921538.exemstsc.exe

pid process

4208 RFQ-ref_05921538.exe
4208 RFQ-ref_05921538.exe
4208 RFQ-ref_05921538.exe
4464 mstsc.exe
4464 mstsc.exe

pid	process
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4208	RFQ-ref_05921538.exe
4464	mstsc.exe
4464	mstsc.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

RFQ-ref_05921538.exeRFQ-ref_05921538.exeExplorer.EXEmstsc.exe

description	pid	process
Token: SeDebugPrivilege	556	RFQ-ref_05921538.exe
Token: SeDebugPrivilege	4208	RFQ-ref_05921538.exe
Token: SeShutdownPrivilege	3296	Explorer.EXE
Token: SeCreatePagefilePrivilege	3296	Explorer.EXE
Token: SeDebugPrivilege	4464	mstsc.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

RFQ-ref_05921538.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 556 wrote to memory of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 556 wrote to memory of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 556 wrote to memory of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 556 wrote to memory of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 556 wrote to memory of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 556 wrote to memory of 4208	556	RFQ-ref_05921538.exe	RFQ-ref_05921538.exe
PID 3296 wrote to memory of 4464	3296	Explorer.EXE	mstsc.exe
PID 3296 wrote to memory of 4464	3296	Explorer.EXE	mstsc.exe
PID 3296 wrote to memory of 4464	3296	Explorer.EXE	mstsc.exe
PID 4464 wrote to memory of 4320	4464	mstsc.exe	cmd.exe
PID 4464 wrote to memory of 4320	4464	mstsc.exe	cmd.exe
PID 4464 wrote to memory of 4320	4464	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3296

C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:556

C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe
"C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4208

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4464

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\RFQ-ref_05921538.exe"
3⤵
PID:4320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=3192,i,2785050981002401924,4037047756083432660,262144 --variations-seed-version /prefetch:8
1⤵
PID:3344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/556-12-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/556-2-0x00000000056A0000-0x0000000005C44000-memory.dmp

Filesize
5.6MB

Download
memory/556-0-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/556-20-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/556-4-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/556-5-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/556-6-0x0000000005350000-0x0000000005394000-memory.dmp

Filesize
272KB

Download
memory/556-7-0x0000000005640000-0x000000000564A000-memory.dmp

Filesize
40KB

Download
memory/556-8-0x0000000074520000-0x0000000074CD0000-memory.dmp

Filesize
7.7MB

Download
memory/556-9-0x00000000072F0000-0x000000000730A000-memory.dmp

Filesize
104KB

Download
memory/556-10-0x0000000009900000-0x0000000009906000-memory.dmp

Filesize
24KB

Download
memory/556-11-0x000000007452E000-0x000000007452F000-memory.dmp

Filesize
4KB

Download
memory/556-3-0x0000000005190000-0x0000000005222000-memory.dmp

Filesize
584KB

Download
memory/556-1-0x0000000000310000-0x00000000003FC000-memory.dmp

Filesize
944KB

Download
memory/3296-33-0x0000000003330000-0x00000000033F0000-memory.dmp

Filesize
768KB

Download
memory/3296-19-0x0000000009390000-0x000000000953B000-memory.dmp

Filesize
1.7MB

Download
memory/3296-26-0x0000000009390000-0x000000000953B000-memory.dmp

Filesize
1.7MB

Download
memory/3296-29-0x0000000003330000-0x00000000033F0000-memory.dmp

Filesize
768KB

Download
memory/3296-30-0x0000000003330000-0x00000000033F0000-memory.dmp

Filesize
768KB

Download
memory/4208-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4208-16-0x0000000001930000-0x0000000001C7A000-memory.dmp

Filesize
3.3MB

Download
memory/4208-18-0x00000000018F0000-0x0000000001904000-memory.dmp

Filesize
80KB

Download
memory/4208-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4464-21-0x0000000000910000-0x0000000000A4A000-memory.dmp

Filesize
1.2MB

Download
memory/4464-23-0x0000000000910000-0x0000000000A4A000-memory.dmp

Filesize
1.2MB

Download
memory/4464-24-0x00000000007F0000-0x000000000081F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads