formbook | bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999

General

Target

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
Size

1.1MB
MD5

c8d850146b27ea87e5242f103088ef2d
SHA1

b7425314a1dd4316e2e7038d8cbf6a0a41804855
SHA256

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999
SHA512

c2eaf840856f613cf7e71dbba6f5112c1b09c40cd3b7328322b27a3092229b125230264f7b2db6360bb285a65290d372ec23e74a91f11a10f3e15c2cef285f02
SSDEEP

24576:eAHnh+eWsN3skA4RV1Hom2KXMmHa6ZAXd/HGOeb7r5:Jh+ZkldoPK8Ya6ZAXd/mlbR

Score

10^/10

formbook as02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

as02

Decoy

qwin777.com

robinhoods.live

h3jh-dal.pics

braindeadcopywriting.com

kktcbet1000.com

mpo0463.cfd

raboteshoes.com

ab1718.com

lowcrusiers.com

gregcopelandmusic.com

dkfndch.store

firstclassuni.com

00ewu1ub.com

shunweichemical.com

sugarits.com

marqify.com

mistmajik.com

trezip.online

tinytables.xyz

suestergocoaching.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4120-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4120-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3244-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exesvchost.exesvchost.exe

description	pid	process	target process
PID 4492 set thread context of 4120	4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe	svchost.exe
PID 4120 set thread context of 3516	4120	svchost.exe	Explorer.EXE
PID 3244 set thread context of 3516	3244	svchost.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

svchost.exesvchost.exe

pid	process
4120	svchost.exe
4120	svchost.exe
4120	svchost.exe
4120	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe
3244	svchost.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exesvchost.exesvchost.exe

pid process

4492 bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
4120 svchost.exe
4120 svchost.exe
4120 svchost.exe
3244 svchost.exe
3244 svchost.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesvchost.exe

description pid process

Token: SeDebugPrivilege 4120 svchost.exe
Token: SeDebugPrivilege 3244 svchost.exe

description	pid	process
Token: SeDebugPrivilege	4120	svchost.exe
Token: SeDebugPrivilege	3244	svchost.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exeExplorer.EXE

pid	process
4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of SendNotifyMessage 5 IoCs

Processes:

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exeExplorer.EXE

pid	process
4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
3516	Explorer.EXE
3516	Explorer.EXE
3516	Explorer.EXE

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exeExplorer.EXEsvchost.exe

description	pid	process	target process
PID 4492 wrote to memory of 4120	4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe	svchost.exe
PID 4492 wrote to memory of 4120	4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe	svchost.exe
PID 4492 wrote to memory of 4120	4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe	svchost.exe
PID 4492 wrote to memory of 4120	4492	bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe	svchost.exe
PID 3516 wrote to memory of 3244	3516	Explorer.EXE	svchost.exe
PID 3516 wrote to memory of 3244	3516	Explorer.EXE	svchost.exe
PID 3516 wrote to memory of 3244	3516	Explorer.EXE	svchost.exe
PID 3244 wrote to memory of 1656	3244	svchost.exe	cmd.exe
PID 3244 wrote to memory of 1656	3244	svchost.exe	cmd.exe
PID 3244 wrote to memory of 1656	3244	svchost.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3516

C:\Users\Admin\AppData\Local\Temp\bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe
"C:\Users\Admin\AppData\Local\Temp\bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4492

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\bd8a38d06603be4dafa830f2a5faa9f55b3e24cb692314908dc246adad8c8999.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4120

C:\Windows\SysWOW64\svchost.exe
"C:\Windows\SysWOW64\svchost.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3244

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:1656

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3244-19-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/3244-17-0x00000000001F0000-0x00000000001FE000-memory.dmp

Filesize
56KB

Download
memory/3244-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3516-16-0x0000000009610000-0x0000000009764000-memory.dmp

Filesize
1.3MB

Download
memory/3516-24-0x0000000003180000-0x0000000003244000-memory.dmp

Filesize
784KB

Download
memory/3516-25-0x0000000003180000-0x0000000003244000-memory.dmp

Filesize
784KB

Download
memory/3516-28-0x0000000003180000-0x0000000003244000-memory.dmp

Filesize
784KB

Download
memory/4120-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4120-12-0x0000000000E00000-0x000000000114A000-memory.dmp

Filesize
3.3MB

Download
memory/4120-15-0x00000000012B0000-0x00000000012C5000-memory.dmp

Filesize
84KB

Download
memory/4120-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-10-0x0000000002250000-0x0000000002254000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads