formbook | af3cf8969b0fdaa379f685e9c822eb12d92c0b7103743671dcd006346ca6df78

General

Target

80TeZdsbeA6B6j4.exe
Size

606KB
MD5

7442aa90a9c0f8cce9a010e6c0d02adc
SHA1

3ade4ebfd27f0e827d1d5678702c18f5cb3b869b
SHA256

af3cf8969b0fdaa379f685e9c822eb12d92c0b7103743671dcd006346ca6df78
SHA512

20561792fb78f87d3ac8c941af91d9660b503872bdae4f6cbfd8dcd93c904f95f436ecd7edabf1c01165da942257ff4a2e4359fe531d1cb3d188f1b413293562
SSDEEP

12288:RSBofC1PIC44NN91so6zo7/v75WaU4UzlrT8dggA5wFk1d+6D0i0:RS/16GX14zg375W4M2uyFYYxi

Score

10^/10

formbook mc10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mc10

Decoy

sttcorp.one

jack88.lat

owl-protect.com

hnszrrn.com

at89v2.com

h147.top

takle4creators.com

fondsa.xyz

mantenopolice.com

shophansler.com

dessertt.com

thecollisionmagazine.com

tatesfluffyfrenchies.com

h1f2v.rest

bluewandltd.com

cuplaho2003.shop

2thetcleaningservice.com

yc85w.top

natursache.shop

allmyabilities.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3952-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3952-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3860-22-0x0000000000640000-0x000000000066F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

80TeZdsbeA6B6j4.exe80TeZdsbeA6B6j4.exemstsc.exe

description	pid	process	target process
PID 3992 set thread context of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3952 set thread context of 3484	3952	80TeZdsbeA6B6j4.exe	Explorer.EXE
PID 3860 set thread context of 3484	3860	mstsc.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 62 IoCs

Processes:

80TeZdsbeA6B6j4.exe80TeZdsbeA6B6j4.exemstsc.exe

pid	process
3992	80TeZdsbeA6B6j4.exe
3992	80TeZdsbeA6B6j4.exe
3992	80TeZdsbeA6B6j4.exe
3992	80TeZdsbeA6B6j4.exe
3952	80TeZdsbeA6B6j4.exe
3952	80TeZdsbeA6B6j4.exe
3952	80TeZdsbeA6B6j4.exe
3952	80TeZdsbeA6B6j4.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe
3860	mstsc.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

80TeZdsbeA6B6j4.exemstsc.exe

pid process

3952 80TeZdsbeA6B6j4.exe
3952 80TeZdsbeA6B6j4.exe
3952 80TeZdsbeA6B6j4.exe
3860 mstsc.exe
3860 mstsc.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

80TeZdsbeA6B6j4.exe80TeZdsbeA6B6j4.exemstsc.exe

description pid process

Token: SeDebugPrivilege 3992 80TeZdsbeA6B6j4.exe
Token: SeDebugPrivilege 3952 80TeZdsbeA6B6j4.exe
Token: SeDebugPrivilege 3860 mstsc.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Explorer.EXE

pid process

3484 Explorer.EXE
3484 Explorer.EXE
3484 Explorer.EXE
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Explorer.EXE

pid process

3484 Explorer.EXE
3484 Explorer.EXE
3484 Explorer.EXE

pid	process
3952	80TeZdsbeA6B6j4.exe
3952	80TeZdsbeA6B6j4.exe
3952	80TeZdsbeA6B6j4.exe
3860	mstsc.exe
3860	mstsc.exe

description	pid	process
Token: SeDebugPrivilege	3992	80TeZdsbeA6B6j4.exe
Token: SeDebugPrivilege	3952	80TeZdsbeA6B6j4.exe
Token: SeDebugPrivilege	3860	mstsc.exe

pid	process
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE

pid	process
3484	Explorer.EXE
3484	Explorer.EXE
3484	Explorer.EXE

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

80TeZdsbeA6B6j4.exeExplorer.EXEmstsc.exe

description	pid	process	target process
PID 3992 wrote to memory of 736	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 736	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 736	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 4384	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 4384	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 4384	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3992 wrote to memory of 3952	3992	80TeZdsbeA6B6j4.exe	80TeZdsbeA6B6j4.exe
PID 3484 wrote to memory of 3860	3484	Explorer.EXE	mstsc.exe
PID 3484 wrote to memory of 3860	3484	Explorer.EXE	mstsc.exe
PID 3484 wrote to memory of 3860	3484	Explorer.EXE	mstsc.exe
PID 3860 wrote to memory of 2288	3860	mstsc.exe	cmd.exe
PID 3860 wrote to memory of 2288	3860	mstsc.exe	cmd.exe
PID 3860 wrote to memory of 2288	3860	mstsc.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3484

C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe
"C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3992

C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe
"C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe"
3⤵
PID:736

C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe
"C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe"
3⤵
PID:4384

C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe
"C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:3952

C:\Windows\SysWOW64\mstsc.exe
"C:\Windows\SysWOW64\mstsc.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\80TeZdsbeA6B6j4.exe"
3⤵
PID:2288

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3484-34-0x0000000007FE0000-0x0000000008163000-memory.dmp

Filesize
1.5MB

Download
memory/3484-31-0x0000000007FE0000-0x0000000008163000-memory.dmp

Filesize
1.5MB

Download
memory/3484-29-0x0000000007FE0000-0x0000000008163000-memory.dmp

Filesize
1.5MB

Download
memory/3484-24-0x0000000002630000-0x00000000027BD000-memory.dmp

Filesize
1.6MB

Download
memory/3484-18-0x0000000002630000-0x00000000027BD000-memory.dmp

Filesize
1.6MB

Download
memory/3860-22-0x0000000000640000-0x000000000066F000-memory.dmp

Filesize
188KB

Download
memory/3860-21-0x0000000000E00000-0x0000000000F3A000-memory.dmp

Filesize
1.2MB

Download
memory/3860-19-0x0000000000E00000-0x0000000000F3A000-memory.dmp

Filesize
1.2MB

Download
memory/3952-14-0x00000000014E0000-0x000000000182A000-memory.dmp

Filesize
3.3MB

Download
memory/3952-17-0x0000000000F50000-0x0000000000F64000-memory.dmp

Filesize
80KB

Download
memory/3952-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3952-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3992-6-0x0000000005140000-0x000000000515A000-memory.dmp

Filesize
104KB

Download
memory/3992-13-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3992-10-0x000000000F410000-0x000000000F4AC000-memory.dmp

Filesize
624KB

Download
memory/3992-9-0x000000000BD90000-0x000000000BE06000-memory.dmp

Filesize
472KB

Download
memory/3992-8-0x000000000BB10000-0x000000000BB1C000-memory.dmp

Filesize
48KB

Download
memory/3992-7-0x0000000008B00000-0x0000000008B08000-memory.dmp

Filesize
32KB

Download
memory/3992-0-0x0000000074A8E000-0x0000000074A8F000-memory.dmp

Filesize
4KB

Download
memory/3992-5-0x0000000074A80000-0x0000000075230000-memory.dmp

Filesize
7.7MB

Download
memory/3992-4-0x0000000005010000-0x000000000501A000-memory.dmp

Filesize
40KB

Download
memory/3992-3-0x0000000004F50000-0x0000000004FE2000-memory.dmp

Filesize
584KB

Download
memory/3992-2-0x0000000005460000-0x0000000005A04000-memory.dmp

Filesize
5.6MB

Download
memory/3992-1-0x0000000000610000-0x00000000006AE000-memory.dmp

Filesize
632KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads