formbook | f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443

General

Target

763a170d8db1c54b150a0d2891b3fead.exe
Size

879KB
MD5

763a170d8db1c54b150a0d2891b3fead
SHA1

a5e70c7ef5c972a5507b679c573e677ec7ba28a6
SHA256

f53df4e1f9405d98a02cf34bedf2ee5df88437c130eb339eb6da9850f14ad443
SHA512

c42af58504d08fdc7b62b84fbddc059f375aa97652b02627c93063d3940ebec33381fc08522f9e5dca09058237232933da6b62786ea800ff1c7591d6a815ce9b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.zglvyouzaixian.com/nki/

Decoy

igo-digiworld.com

infrahiit.com

herhealingwater.com

inspiredbytradition.com

onlinepropertyworld.com

rvwdj.com

mudahbikinsuhi.online

multipleofferonline.com

striveyouthministry.com

affectiveneuro.net

f21m.com

perfumefashion.icu

instantcash4rvs.com

help-verifiedbadge.com

solomonislandsblog.com

vipshoppingwizard.com

doggybargains.com

fjyaoxi.net

luxpropertyandassociates.com

companyfinders.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1464-8-0x000000000041EB70-mapping.dmp	formbook
behavioral1/memory/1464-7-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

763a170d8db1c54b150a0d2891b3fead.exe

description pid process target process

PID 1756 set thread context of 1464 1756 763a170d8db1c54b150a0d2891b3fead.exe 763a170d8db1c54b150a0d2891b3fead.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

763a170d8db1c54b150a0d2891b3fead.exe

pid process

1464 763a170d8db1c54b150a0d2891b3fead.exe

description	pid	process	target process
PID 1756 set thread context of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe

pid	process
1464	763a170d8db1c54b150a0d2891b3fead.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

763a170d8db1c54b150a0d2891b3fead.exe

description	pid	process	target process
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe
PID 1756 wrote to memory of 1464	1756	763a170d8db1c54b150a0d2891b3fead.exe	763a170d8db1c54b150a0d2891b3fead.exe

C:\Users\Admin\AppData\Local\Temp\763a170d8db1c54b150a0d2891b3fead.exe
"C:\Users\Admin\AppData\Local\Temp\763a170d8db1c54b150a0d2891b3fead.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1756

C:\Users\Admin\AppData\Local\Temp\763a170d8db1c54b150a0d2891b3fead.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1464

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1464-8-0x000000000041EB70-mapping.dmp

Download
memory/1464-7-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1756-2-0x00000000749D0000-0x00000000750BE000-memory.dmp

Filesize
6.9MB

Download
memory/1756-3-0x0000000000A30000-0x0000000000A31000-memory.dmp

Filesize
4KB

Download
memory/1756-5-0x0000000000580000-0x000000000058E000-memory.dmp

Filesize
56KB

Download
memory/1756-6-0x00000000053E0000-0x000000000547B000-memory.dmp

Filesize
620KB

Download

Analysis

Sharing