formbook | 9c5ada1bea0116faaa4cb16f966f2fa5af05d79293b2cb3b953d22d0d17ae680

General

Target

rAXDBwN46Wuxlc8.exe
Size

593KB
MD5

1c35913e1129c47ca535b3aea8d90078
SHA1

35f1cbcd7a52a3e1441d0f8cd67076e75b260b7a
SHA256

9c5ada1bea0116faaa4cb16f966f2fa5af05d79293b2cb3b953d22d0d17ae680
SHA512

a06df95313ed8708aaa34674041b3fe75122574ae334b69295ea049c110e5893143cd0ccfb0140eecebe7c15ed518e6c90a5f978569ba417fed41333d85dfe8d
SSDEEP

12288:V0JJwqLx/cHWzonE/DpX3Rx3UOMkPwCJTNmSWEtUP8XcoESZRYT57:VZtHEdX3H3eCJTNGrYXY

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1408-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1408-18-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1584-23-0x0000000000450000-0x000000000047F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

rAXDBwN46Wuxlc8.exerAXDBwN46Wuxlc8.execmmon32.exe

description	pid	process	target process
PID 3440 set thread context of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 1408 set thread context of 3432	1408	rAXDBwN46Wuxlc8.exe	Explorer.EXE
PID 1584 set thread context of 3432	1584	cmmon32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 57 IoCs

Processes:

rAXDBwN46Wuxlc8.execmmon32.exe

pid	process
1408	rAXDBwN46Wuxlc8.exe
1408	rAXDBwN46Wuxlc8.exe
1408	rAXDBwN46Wuxlc8.exe
1408	rAXDBwN46Wuxlc8.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe
1584	cmmon32.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

rAXDBwN46Wuxlc8.execmmon32.exe

pid process

1408 rAXDBwN46Wuxlc8.exe
1408 rAXDBwN46Wuxlc8.exe
1408 rAXDBwN46Wuxlc8.exe
1584 cmmon32.exe
1584 cmmon32.exe
Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

rAXDBwN46Wuxlc8.execmmon32.exeExplorer.EXE

description pid process

Token: SeDebugPrivilege 1408 rAXDBwN46Wuxlc8.exe
Token: SeDebugPrivilege 1584 cmmon32.exe
Token: SeShutdownPrivilege 3432 Explorer.EXE
Token: SeCreatePagefilePrivilege 3432 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	1408	rAXDBwN46Wuxlc8.exe
Token: SeDebugPrivilege	1584	cmmon32.exe
Token: SeShutdownPrivilege	3432	Explorer.EXE
Token: SeCreatePagefilePrivilege	3432	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

rAXDBwN46Wuxlc8.exeExplorer.EXEcmmon32.exe

description	pid	process	target process
PID 3440 wrote to memory of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 3440 wrote to memory of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 3440 wrote to memory of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 3440 wrote to memory of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 3440 wrote to memory of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 3440 wrote to memory of 1408	3440	rAXDBwN46Wuxlc8.exe	rAXDBwN46Wuxlc8.exe
PID 3432 wrote to memory of 1584	3432	Explorer.EXE	cmmon32.exe
PID 3432 wrote to memory of 1584	3432	Explorer.EXE	cmmon32.exe
PID 3432 wrote to memory of 1584	3432	Explorer.EXE	cmmon32.exe
PID 1584 wrote to memory of 4104	1584	cmmon32.exe	cmd.exe
PID 1584 wrote to memory of 4104	1584	cmmon32.exe	cmd.exe
PID 1584 wrote to memory of 4104	1584	cmmon32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3432

C:\Users\Admin\AppData\Local\Temp\rAXDBwN46Wuxlc8.exe
"C:\Users\Admin\AppData\Local\Temp\rAXDBwN46Wuxlc8.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3440

C:\Users\Admin\AppData\Local\Temp\rAXDBwN46Wuxlc8.exe
"C:\Users\Admin\AppData\Local\Temp\rAXDBwN46Wuxlc8.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1408

C:\Windows\SysWOW64\cmmon32.exe
"C:\Windows\SysWOW64\cmmon32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1584

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\rAXDBwN46Wuxlc8.exe"
3⤵
PID:4104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4080,i,5711962389779687290,1245653010537220991,262144 --variations-seed-version --mojo-platform-channel-handle=3772 /prefetch:8
1⤵
PID:5088

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1408-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1408-19-0x0000000001330000-0x0000000001345000-memory.dmp

Filesize
84KB

Download
memory/1408-16-0x0000000000EB0000-0x00000000011FA000-memory.dmp

Filesize
3.3MB

Download
memory/1584-23-0x0000000000450000-0x000000000047F000-memory.dmp

Filesize
188KB

Download
memory/1584-21-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/1584-22-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/3432-32-0x0000000008690000-0x0000000008791000-memory.dmp

Filesize
1.0MB

Download
memory/3432-29-0x0000000008690000-0x0000000008791000-memory.dmp

Filesize
1.0MB

Download
memory/3432-28-0x0000000008690000-0x0000000008791000-memory.dmp

Filesize
1.0MB

Download
memory/3432-25-0x0000000002D90000-0x0000000002E7D000-memory.dmp

Filesize
948KB

Download
memory/3432-20-0x0000000002D90000-0x0000000002E7D000-memory.dmp

Filesize
948KB

Download
memory/3440-6-0x0000000005710000-0x000000000571A000-memory.dmp

Filesize
40KB

Download
memory/3440-7-0x0000000006350000-0x000000000687C000-memory.dmp

Filesize
5.2MB

Download
memory/3440-15-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-11-0x00000000074C0000-0x00000000074CC000-memory.dmp

Filesize
48KB

Download
memory/3440-10-0x00000000074A0000-0x00000000074B0000-memory.dmp

Filesize
64KB

Download
memory/3440-9-0x00000000072F0000-0x000000000737A000-memory.dmp

Filesize
552KB

Download
memory/3440-8-0x0000000005F10000-0x0000000005FAC000-memory.dmp

Filesize
624KB

Download
memory/3440-12-0x00000000074E0000-0x0000000007556000-memory.dmp

Filesize
472KB

Download
memory/3440-0-0x000000007521E000-0x000000007521F000-memory.dmp

Filesize
4KB

Download
memory/3440-5-0x0000000075210000-0x00000000759C0000-memory.dmp

Filesize
7.7MB

Download
memory/3440-4-0x0000000005310000-0x0000000005664000-memory.dmp

Filesize
3.3MB

Download
memory/3440-3-0x0000000005270000-0x0000000005302000-memory.dmp

Filesize
584KB

Download
memory/3440-2-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/3440-1-0x0000000000770000-0x000000000080A000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads