formbook | f11bf0f5b97161b5d27b4cbbc02fae52957df15646513874df10bc06d1d4e5df

General

Target

SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
Size

455KB
MD5

8c5fad5ff5c2c0af9ce18b5130f3d43c
SHA1

0e2cb2a9fd256afdb2a877fa0b8fbe6c7d30c6b4
SHA256

f11bf0f5b97161b5d27b4cbbc02fae52957df15646513874df10bc06d1d4e5df
SHA512

c3ecee109de715fb49ca3e8fd35b598c01ff59ccaf377bfb3b2f5d8463bad6e469a89f8dd56cdae3781335a72e3eb695c7dd4f675f9f64712e97f9fea5fafed2

Score

10^/10

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

description	pid	process	target process
PID 3956 wrote to memory of 2432	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2432	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2432	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
PID 3956 wrote to memory of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

description pid process

Token: SeDebugPrivilege 3956 SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

description	pid	process
Token: SeDebugPrivilege	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exeSecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

pid	process
3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
2440	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
2440	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

description	pid	process	target process
PID 3956 set thread context of 2440	3956	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe	SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2440-0-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/2440-0-0x0000000000400000-0x000000000042D000-memory.dmp	formbook
behavioral2/memory/2440-1-0x000000000041E200-mapping.dmp	formbook

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
"{path}"
2⤵
PID:2432

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.17.10332.27788.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2440

memory/2440-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2440-1-0x000000000041E200-mapping.dmp

Download