formbook | b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766

General

Target

b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
Size

980KB
MD5

9d14ac0e8c2fc7742a10a92d44c120d4
SHA1

ef6dc297e8016e3ffea966172d6d36e19e32a8bd
SHA256

b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766
SHA512

678ff0956a0465729a84a582747147e3b774ef680cf85880f9ac218435ac5e83b68ef424ad17db9309b7eedba20c8ef2c445e584923f229405f9a014e3f76eac

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.handanzhize.info/d5/

Decoy

dsmtpf.com

korianfondation.net

eporums.com

xqnmc.com

familybusinesslawyer.net

0pe484.com

poshaesthetics.com

thaomocbamien.com

nanogoldcoin.net

uenkai.com

i58.ltd

izqnlf.men

puresunfarms.net

shebeihuishou.net

larryoldffashioned.win

salutewritersrepublic.com

astrologuecabinetconseilmc.com

takeourtips.com

pat473.com

bloq.solar

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1388-4-0x0000000000000000-mapping.dmp	formbook

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

pid process

1388 b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

pid process

776 b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

pid	process
1388	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

pid	process
776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

Suspicious use of WriteProcessMemory 13 IoCs

Processes:

b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

description	pid	process	target process
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
PID 776 wrote to memory of 1388	776	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe	b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe

C:\Users\Admin\AppData\Local\Temp\b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
"C:\Users\Admin\AppData\Local\Temp\b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:776

C:\Users\Admin\AppData\Local\Temp\b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe
"C:\Users\Admin\AppData\Local\Temp\b031075b8ad2558ee3ee7f0749c2b24484dd6fab7252fad71548276514b9b766.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1388

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads