formbook | 6d0a79ac97ad96ecfea9b89fe36249dc9eb6cbd2dd60fb46c463ad6d76d7bb02

General

Target

ORDER #8774598644.pdf.exe
Size

1.0MB
MD5

2d3ee28273908c49fd61b2b682a77d7c
SHA1

52a9468e0a9815e6d4567de69e0fd46725904e26
SHA256

7775c0292610f35e3db09d7e06343f212a24e490085ee11f8121fa65db61dcfa
SHA512

38691df68b324fed73fcbffe369acce07d2ef948dfdedf40802ff73522c32b3c7f57de1a132d1b8d9e8b89f3d3fd1631411228bf2794d3e5a705d6cf349365ed
SSDEEP

24576:6AHnh+eWsN3skA4RV1Hom2KXMmHathMXQKuyroqVL5:Nh+ZkldoPK8YathMQK5oi

Score

10^/10

formbook rn94 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rn94

Decoy

st68v.xyz

conciergenotary.net

qwechaotk.top

rtpdonatoto29.xyz

8ad.xyz

powermove.top

cameras-30514.bond

vanguardcoffee.shop

umoe53fxc1bsujv.buzz

consultoriamax.net

hplxx.com

ndu.wtf

yzh478c.xyz

bigbrown999.site

xiake07.asia

resdai.xyz

the35678.shop

ba6rf.rest

ceo688.com

phimxhot.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2288-30-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2288-33-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2660-39-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Drops startup file 1 IoCs

Processes:

name.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs name.exe
Executes dropped EXE 1 IoCs

Processes:

name.exe

pid process

2228 name.exe
Loads dropped DLL 1 IoCs

Processes:

ORDER #8774598644.pdf.exe

pid process

2360 ORDER #8774598644.pdf.exe
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.

Processes:

resource yara_rule

\Users\Admin\AppData\Local\directory\name.exe autoit_exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\name.vbs	name.exe

pid	process
2228	name.exe

pid	process
2360	ORDER #8774598644.pdf.exe

resource	yara_rule
\Users\Admin\AppData\Local\directory\name.exe	autoit_exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

name.exesvchost.exesystray.exe

description	pid	process	target process
PID 2228 set thread context of 2288	2228	name.exe	svchost.exe
PID 2288 set thread context of 1372	2288	svchost.exe	Explorer.EXE
PID 2660 set thread context of 1372	2660	systray.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

svchost.exesystray.exe

pid	process
2288	svchost.exe
2288	svchost.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe
2660	systray.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

name.exesvchost.exesystray.exe

pid process

2228 name.exe
2288 svchost.exe
2288 svchost.exe
2288 svchost.exe
2660 systray.exe
2660 systray.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exesystray.exe

description pid process

Token: SeDebugPrivilege 2288 svchost.exe
Token: SeDebugPrivilege 2660 systray.exe
Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

ORDER #8774598644.pdf.exename.exeExplorer.EXE

pid process

2360 ORDER #8774598644.pdf.exe
2360 ORDER #8774598644.pdf.exe
2228 name.exe
2228 name.exe
1372 Explorer.EXE
1372 Explorer.EXE
Suspicious use of SendNotifyMessage 4 IoCs

Processes:

ORDER #8774598644.pdf.exename.exe

pid process

2360 ORDER #8774598644.pdf.exe
2360 ORDER #8774598644.pdf.exe
2228 name.exe
2228 name.exe

pid	process
2228	name.exe
2288	svchost.exe
2288	svchost.exe
2288	svchost.exe
2660	systray.exe
2660	systray.exe

description	pid	process
Token: SeDebugPrivilege	2288	svchost.exe
Token: SeDebugPrivilege	2660	systray.exe

pid	process
2360	ORDER #8774598644.pdf.exe
2360	ORDER #8774598644.pdf.exe
2228	name.exe
2228	name.exe
1372	Explorer.EXE
1372	Explorer.EXE

pid	process
2360	ORDER #8774598644.pdf.exe
2360	ORDER #8774598644.pdf.exe
2228	name.exe
2228	name.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

ORDER #8774598644.pdf.exename.exeExplorer.EXEsystray.exe

description	pid	process	target process
PID 2360 wrote to memory of 2228	2360	ORDER #8774598644.pdf.exe	name.exe
PID 2360 wrote to memory of 2228	2360	ORDER #8774598644.pdf.exe	name.exe
PID 2360 wrote to memory of 2228	2360	ORDER #8774598644.pdf.exe	name.exe
PID 2360 wrote to memory of 2228	2360	ORDER #8774598644.pdf.exe	name.exe
PID 2228 wrote to memory of 2288	2228	name.exe	svchost.exe
PID 2228 wrote to memory of 2288	2228	name.exe	svchost.exe
PID 2228 wrote to memory of 2288	2228	name.exe	svchost.exe
PID 2228 wrote to memory of 2288	2228	name.exe	svchost.exe
PID 2228 wrote to memory of 2288	2228	name.exe	svchost.exe
PID 1372 wrote to memory of 2660	1372	Explorer.EXE	systray.exe
PID 1372 wrote to memory of 2660	1372	Explorer.EXE	systray.exe
PID 1372 wrote to memory of 2660	1372	Explorer.EXE	systray.exe
PID 1372 wrote to memory of 2660	1372	Explorer.EXE	systray.exe
PID 2660 wrote to memory of 2876	2660	systray.exe	cmd.exe
PID 2660 wrote to memory of 2876	2660	systray.exe	cmd.exe
PID 2660 wrote to memory of 2876	2660	systray.exe	cmd.exe
PID 2660 wrote to memory of 2876	2660	systray.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1372

C:\Users\Admin\AppData\Local\Temp\ORDER #8774598644.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER #8774598644.pdf.exe"
2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2360

C:\Users\Admin\AppData\Local\directory\name.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER #8774598644.pdf.exe"
3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\ORDER #8774598644.pdf.exe"
4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2288

C:\Windows\SysWOW64\systray.exe
"C:\Windows\SysWOW64\systray.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\holloing
Filesize
185KB

MD5
9bde92e31dd0f172cf097edbf96c0f87

SHA1
0a49b0e0f811ac1c030dd1dc72faee354a1b9723

SHA256
30022f1c166da506a82b58818ef29e243b06cde429ad5486e44d9f34e0465a9a

SHA512
acfe7cc000e4b25c8126500ece114c44b13f08d2754a6d4fa9fe39becf6ffd2012ef16ccc41178c7e3f8d6a82539c4e2140b11cbc20506ca511e03020480afb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\overfertilize
Filesize
28KB

MD5
908033a74672250aeda64d4217d53f51

SHA1
a5ba1de8ee9d453ee8690f104fed7b68e26d7e1d

SHA256
18642b12bfa7cca8341165e50812f67947f830ce5c5b9b0f7bb77e0f35f80206

SHA512
0df987f4b79395feef5ef53b2f4df34e044b5cc7a04858060f10c81517e30357d1670738065b076472d294f57aff564ec46e510e6a2c9cd24bb374eb8c49d3a6

Download Submit
\Users\Admin\AppData\Local\directory\name.exe
Filesize
1.0MB

MD5
2d3ee28273908c49fd61b2b682a77d7c

SHA1
52a9468e0a9815e6d4567de69e0fd46725904e26

SHA256
7775c0292610f35e3db09d7e06343f212a24e490085ee11f8121fa65db61dcfa

SHA512
38691df68b324fed73fcbffe369acce07d2ef948dfdedf40802ff73522c32b3c7f57de1a132d1b8d9e8b89f3d3fd1631411228bf2794d3e5a705d6cf349365ed

Download Submit
memory/1372-36-0x0000000004C40000-0x0000000004D17000-memory.dmp

Filesize
860KB

Download
memory/1372-50-0x0000000004E70000-0x0000000004F2B000-memory.dmp

Filesize
748KB

Download
memory/1372-47-0x0000000004E70000-0x0000000004F2B000-memory.dmp

Filesize
748KB

Download
memory/1372-46-0x0000000004E70000-0x0000000004F2B000-memory.dmp

Filesize
748KB

Download
memory/1372-42-0x0000000004C40000-0x0000000004D17000-memory.dmp

Filesize
860KB

Download
memory/1372-35-0x0000000000310000-0x0000000000410000-memory.dmp

Filesize
1024KB

Download
memory/2288-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2288-34-0x00000000001C0000-0x00000000001D5000-memory.dmp

Filesize
84KB

Download
memory/2288-31-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/2360-10-0x0000000000120000-0x0000000000124000-memory.dmp

Filesize
16KB

Download
memory/2660-38-0x00000000003B0000-0x00000000003B5000-memory.dmp

Filesize
20KB

Download
memory/2660-37-0x00000000003B0000-0x00000000003B5000-memory.dmp

Filesize
20KB

Download
memory/2660-39-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads