formbook | f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30

General

Target

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
Size

1.1MB
MD5

e03cefcd99feaf7ca8fd37a4bec8280c
SHA1

1ef21abddff685aeb42767f9288d67bf22a9422d
SHA256

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30
SHA512

af81a05f31cc3cd87872f95d448ce65936c6cd9ee8296c2ee46fd9af7b1cc7f76104c4272c4ce03d206086cb676e034e8a40670ec98494de8c28e551f2776277
SSDEEP

24576:2AHnh+eWsN3skA4RV1Hom2KXMmHaFUjMJc+pSA1TZHrhb5:Rh+ZkldoPK8YaFXJnrT

Score

10^/10

formbook ts59 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ts59

Decoy

hgptgz684w.top

gas39.pro

totalcow.com

76466.club

ssweatstudio.com

nr35.top

hmstr-drop.site

kjsdhklssk13.xyz

lostaino.com

athenamotel.info

9332946.com

ec-delivery-jobs-8j.bond

complaix.com

824go.com

checkout4xgrow.shop

modleavedepts.online

shoedio54.com

topallinoneaccounting.com

texhio.online

cn-brand.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/296-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/296-15-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/296-20-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2664-27-0x00000000000A0000-0x00000000000CF000-memory.dmp	formbook

Suspicious use of SetThreadContext 4 IoCs

Processes:

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exesvchost.exerundll32.exe

description	pid	process	target process
PID 3048 set thread context of 296	3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe	svchost.exe
PID 296 set thread context of 1196	296	svchost.exe	Explorer.EXE
PID 296 set thread context of 1196	296	svchost.exe	Explorer.EXE
PID 2664 set thread context of 1196	2664	rundll32.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 31 IoCs

Processes:

svchost.exerundll32.exe

pid	process
296	svchost.exe
296	svchost.exe
296	svchost.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe
2664	rundll32.exe

Suspicious behavior: MapViewOfSection 7 IoCs

Processes:

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exesvchost.exerundll32.exe

pid process

3048 f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
296 svchost.exe
296 svchost.exe
296 svchost.exe
296 svchost.exe
2664 rundll32.exe
2664 rundll32.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exerundll32.exe

description pid process

Token: SeDebugPrivilege 296 svchost.exe
Token: SeDebugPrivilege 2664 rundll32.exe
Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exeExplorer.EXE

pid process

3048 f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
3048 f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
1196 Explorer.EXE
1196 Explorer.EXE
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe

pid process

3048 f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
3048 f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe

pid	process
3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
296	svchost.exe
2664	rundll32.exe
2664	rundll32.exe

description	pid	process
Token: SeDebugPrivilege	296	svchost.exe
Token: SeDebugPrivilege	2664	rundll32.exe

pid	process
3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
1196	Explorer.EXE
1196	Explorer.EXE

pid	process
3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exeExplorer.EXErundll32.exe

description	pid	process	target process
PID 3048 wrote to memory of 296	3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe	svchost.exe
PID 3048 wrote to memory of 296	3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe	svchost.exe
PID 3048 wrote to memory of 296	3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe	svchost.exe
PID 3048 wrote to memory of 296	3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe	svchost.exe
PID 3048 wrote to memory of 296	3048	f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe	svchost.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 1196 wrote to memory of 2664	1196	Explorer.EXE	rundll32.exe
PID 2664 wrote to memory of 2876	2664	rundll32.exe	cmd.exe
PID 2664 wrote to memory of 2876	2664	rundll32.exe	cmd.exe
PID 2664 wrote to memory of 2876	2664	rundll32.exe	cmd.exe
PID 2664 wrote to memory of 2876	2664	rundll32.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1196

C:\Users\Admin\AppData\Local\Temp\f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe
"C:\Users\Admin\AppData\Local\Temp\f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3048

C:\Windows\SysWOW64\svchost.exe
"C:\Users\Admin\AppData\Local\Temp\f86b5c769c4ae7db9a13fa32b90030bf8b700d8d0f5c30584044942602d2af30.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:296

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Windows\SysWOW64\svchost.exe"
3⤵
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/296-21-0x00000000001E0000-0x00000000001F4000-memory.dmp

Filesize
80KB

Download
memory/296-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/296-13-0x00000000008C0000-0x0000000000BC3000-memory.dmp

Filesize
3.0MB

Download
memory/296-15-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/296-14-0x0000000000160000-0x0000000000174000-memory.dmp

Filesize
80KB

Download
memory/296-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1196-30-0x0000000004F80000-0x000000000511C000-memory.dmp

Filesize
1.6MB

Download
memory/1196-31-0x00000000053F0000-0x00000000054E6000-memory.dmp

Filesize
984KB

Download
memory/1196-17-0x0000000004F80000-0x000000000511C000-memory.dmp

Filesize
1.6MB

Download
memory/1196-16-0x0000000003AD0000-0x0000000003BD0000-memory.dmp

Filesize
1024KB

Download
memory/1196-22-0x00000000053F0000-0x00000000054E6000-memory.dmp

Filesize
984KB

Download
memory/1196-39-0x0000000006850000-0x0000000006963000-memory.dmp

Filesize
1.1MB

Download
memory/1196-36-0x0000000006850000-0x0000000006963000-memory.dmp

Filesize
1.1MB

Download
memory/1196-34-0x0000000006850000-0x0000000006963000-memory.dmp

Filesize
1.1MB

Download
memory/1196-28-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/2664-23-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/2664-27-0x00000000000A0000-0x00000000000CF000-memory.dmp

Filesize
188KB

Download
memory/2664-26-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/2664-24-0x0000000000060000-0x000000000006E000-memory.dmp

Filesize
56KB

Download
memory/3048-10-0x0000000000260000-0x0000000000264000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads