formbook | 8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d

General

Target

kpCSGLBxAw2RnrW.exe
Size

792KB
MD5

ecd71b32a9f7df1197ea46c0831f5e54
SHA1

aa8b0fc56cf3048ccd5f293500cce039305da1a3
SHA256

8d39599a31cac2a8cf51d0b0d6dfd6dbafa76dd1cd33d70d0ce6a8235c662a5d
SHA512

5ebee458ecc260368c5414d7b303c2fbf5779287ebfc55142d143da3cb10ee564f66ad8f8bed6c7574be4df479178ea149ddf990709547cea2083a932e630d26
SSDEEP

12288:J0KE8GILjWLWg/yGcktHAJr5OJKjHYXRLQXTtsepSTVp+:Pc/oEuaqHEwIn

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4312-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4312-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1960-23-0x0000000001000000-0x000000000102F000-memory.dmp	formbook
behavioral2/memory/1960-25-0x0000000001000000-0x000000000102F000-memory.dmp	formbook

Blocklisted process makes network request 1 IoCs

Processes:

msiexec.exe

flow pid process

43 1960 msiexec.exe

flow	pid	process
43	1960	msiexec.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

kpCSGLBxAw2RnrW.exekpCSGLBxAw2RnrW.exemsiexec.exe

description	pid	process	target process
PID 1504 set thread context of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 4312 set thread context of 3500	4312	kpCSGLBxAw2RnrW.exe	Explorer.EXE
PID 1960 set thread context of 3500	1960	msiexec.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

kpCSGLBxAw2RnrW.exemsiexec.exe

pid	process
4312	kpCSGLBxAw2RnrW.exe
4312	kpCSGLBxAw2RnrW.exe
4312	kpCSGLBxAw2RnrW.exe
4312	kpCSGLBxAw2RnrW.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe
1960	msiexec.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

kpCSGLBxAw2RnrW.exemsiexec.exe

pid process

4312 kpCSGLBxAw2RnrW.exe
4312 kpCSGLBxAw2RnrW.exe
4312 kpCSGLBxAw2RnrW.exe
1960 msiexec.exe
1960 msiexec.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

kpCSGLBxAw2RnrW.exemsiexec.exe

description pid process

Token: SeDebugPrivilege 4312 kpCSGLBxAw2RnrW.exe
Token: SeDebugPrivilege 1960 msiexec.exe

description	pid	process
Token: SeDebugPrivilege	4312	kpCSGLBxAw2RnrW.exe
Token: SeDebugPrivilege	1960	msiexec.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

kpCSGLBxAw2RnrW.exeExplorer.EXEmsiexec.exe

description	pid	process	target process
PID 1504 wrote to memory of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 1504 wrote to memory of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 1504 wrote to memory of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 1504 wrote to memory of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 1504 wrote to memory of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 1504 wrote to memory of 4312	1504	kpCSGLBxAw2RnrW.exe	kpCSGLBxAw2RnrW.exe
PID 3500 wrote to memory of 1960	3500	Explorer.EXE	msiexec.exe
PID 3500 wrote to memory of 1960	3500	Explorer.EXE	msiexec.exe
PID 3500 wrote to memory of 1960	3500	Explorer.EXE	msiexec.exe
PID 1960 wrote to memory of 4576	1960	msiexec.exe	cmd.exe
PID 1960 wrote to memory of 4576	1960	msiexec.exe	cmd.exe
PID 1960 wrote to memory of 4576	1960	msiexec.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of WriteProcessMemory
PID:3500

C:\Users\Admin\AppData\Local\Temp\kpCSGLBxAw2RnrW.exe
"C:\Users\Admin\AppData\Local\Temp\kpCSGLBxAw2RnrW.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\kpCSGLBxAw2RnrW.exe
"C:\Users\Admin\AppData\Local\Temp\kpCSGLBxAw2RnrW.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
2⤵
- Blocklisted process makes network request
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1960

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\kpCSGLBxAw2RnrW.exe"
3⤵
PID:4576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-12-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-1-0x0000000000660000-0x000000000072C000-memory.dmp

Filesize
816KB

Download
memory/1504-2-0x0000000005770000-0x0000000005D14000-memory.dmp

Filesize
5.6MB

Download
memory/1504-3-0x00000000050F0000-0x0000000005182000-memory.dmp

Filesize
584KB

Download
memory/1504-4-0x0000000075220000-0x00000000759D0000-memory.dmp

Filesize
7.7MB

Download
memory/1504-5-0x00000000051C0000-0x00000000051CA000-memory.dmp

Filesize
40KB

Download
memory/1504-6-0x0000000005390000-0x00000000053A0000-memory.dmp

Filesize
64KB

Download
memory/1504-7-0x00000000055B0000-0x00000000055BC000-memory.dmp

Filesize
48KB

Download
memory/1504-8-0x00000000056D0000-0x0000000005746000-memory.dmp

Filesize
472KB

Download
memory/1504-9-0x0000000008250000-0x00000000082EC000-memory.dmp

Filesize
624KB

Download
memory/1504-0-0x000000007522E000-0x000000007522F000-memory.dmp

Filesize
4KB

Download
memory/1960-20-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/1960-23-0x0000000001000000-0x000000000102F000-memory.dmp

Filesize
188KB

Download
memory/1960-27-0x0000000003210000-0x00000000032A4000-memory.dmp

Filesize
592KB

Download
memory/1960-25-0x0000000001000000-0x000000000102F000-memory.dmp

Filesize
188KB

Download
memory/1960-24-0x0000000002EC0000-0x000000000320A000-memory.dmp

Filesize
3.3MB

Download
memory/1960-18-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/1960-22-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/3500-17-0x0000000008680000-0x00000000087E6000-memory.dmp

Filesize
1.4MB

Download
memory/3500-28-0x0000000008680000-0x00000000087E6000-memory.dmp

Filesize
1.4MB

Download
memory/3500-31-0x0000000008420000-0x0000000008568000-memory.dmp

Filesize
1.3MB

Download
memory/3500-32-0x0000000008420000-0x0000000008568000-memory.dmp

Filesize
1.3MB

Download
memory/3500-35-0x0000000008420000-0x0000000008568000-memory.dmp

Filesize
1.3MB

Download
memory/4312-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4312-14-0x00000000019E0000-0x0000000001D2A000-memory.dmp

Filesize
3.3MB

Download
memory/4312-15-0x0000000001450000-0x0000000001465000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads