formbook | c383b5258941145e0402f4d3be4b2f0c19dbcb842f9d2954e1acf8806a1b9800

General

Target

1a712a0fc2242cb4474056e2636751c3.exe
Size

840KB
MD5

1a712a0fc2242cb4474056e2636751c3
SHA1

0bb274ae62bbab2a20827ff4f6e57b3173245f2c
SHA256

c383b5258941145e0402f4d3be4b2f0c19dbcb842f9d2954e1acf8806a1b9800
SHA512

5762db243a882ae2b0856fe61857f58824341c940af8c6cec40896623cd8876fe26a19022fa52f3b84ae6cb9dda9af5ad4ac595bbdac09570dd02d61e4278171

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.bytecommunication.com/aky/

Decoy

jeiksaoeklea.com

sagame-auto.net

soloseriolavoro.com

thecreatorsbook.com

superskritch.com

oroxequipment.com

heart-of-art.online

liwedfg.com

fisherofsouls.com

jota.xyz

nehyam.com

smart-contact-delivery.com

hoom.guru

dgryds.com

thesoakcpd.com

mishv.com

rings-factory.info

bero-craft-beers.com

podcastnamegenerators.com

856379813.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2916-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2916-12-0x000000000041EB60-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

1a712a0fc2242cb4474056e2636751c3.exe

description pid process target process

PID 4700 set thread context of 2916 4700 1a712a0fc2242cb4474056e2636751c3.exe 1a712a0fc2242cb4474056e2636751c3.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1a712a0fc2242cb4474056e2636751c3.exe

pid process

2916 1a712a0fc2242cb4474056e2636751c3.exe
2916 1a712a0fc2242cb4474056e2636751c3.exe

description	pid	process	target process
PID 4700 set thread context of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe

pid	process
2916	1a712a0fc2242cb4474056e2636751c3.exe
2916	1a712a0fc2242cb4474056e2636751c3.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1a712a0fc2242cb4474056e2636751c3.exe

description	pid	process	target process
PID 4700 wrote to memory of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe
PID 4700 wrote to memory of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe
PID 4700 wrote to memory of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe
PID 4700 wrote to memory of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe
PID 4700 wrote to memory of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe
PID 4700 wrote to memory of 2916	4700	1a712a0fc2242cb4474056e2636751c3.exe	1a712a0fc2242cb4474056e2636751c3.exe

C:\Users\Admin\AppData\Local\Temp\1a712a0fc2242cb4474056e2636751c3.exe
"C:\Users\Admin\AppData\Local\Temp\1a712a0fc2242cb4474056e2636751c3.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4700

C:\Users\Admin\AppData\Local\Temp\1a712a0fc2242cb4474056e2636751c3.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2916-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2916-12-0x000000000041EB60-mapping.dmp

Download
memory/4700-2-0x0000000073CE0000-0x00000000743CE000-memory.dmp

Filesize
6.9MB

Download
memory/4700-3-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/4700-5-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download
memory/4700-6-0x0000000004C20000-0x0000000004C21000-memory.dmp

Filesize
4KB

Download
memory/4700-7-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4700-8-0x0000000004EC0000-0x0000000004ECE000-memory.dmp

Filesize
56KB

Download
memory/4700-9-0x0000000007190000-0x0000000007224000-memory.dmp

Filesize
592KB

Download
memory/4700-10-0x00000000072D0000-0x00000000072D1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing