formbook | 30dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0

General

Target

e58bbe8181fc690e1b6d806514afaa6d.exe
Size

871KB
MD5

e58bbe8181fc690e1b6d806514afaa6d
SHA1

351a819674f7293a00dfed0f9e8c08a1dadad562
SHA256

30dd3160b2a93b2b20726e2707ad4781b8e6e3802865fc1f0582a3b9eb1644e0
SHA512

717ff39223e387d82e7b2fee06f9866bdcf86bfbaf5c7d42c435a568d7998810dd18a8703d345657badb13a54b4620cb2201739c28b08a4c0e52185c609e64d1

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.bytecommunication.com/aky/

Decoy

jeiksaoeklea.com

sagame-auto.net

soloseriolavoro.com

thecreatorsbook.com

superskritch.com

oroxequipment.com

heart-of-art.online

liwedfg.com

fisherofsouls.com

jota.xyz

nehyam.com

smart-contact-delivery.com

hoom.guru

dgryds.com

thesoakcpd.com

mishv.com

rings-factory.info

bero-craft-beers.com

podcastnamegenerators.com

856379813.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4400-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4400-12-0x000000000041EB60-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

e58bbe8181fc690e1b6d806514afaa6d.exe

description pid process target process

PID 4760 set thread context of 4400 4760 e58bbe8181fc690e1b6d806514afaa6d.exe e58bbe8181fc690e1b6d806514afaa6d.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e58bbe8181fc690e1b6d806514afaa6d.exe

pid process

4400 e58bbe8181fc690e1b6d806514afaa6d.exe
4400 e58bbe8181fc690e1b6d806514afaa6d.exe

description	pid	process	target process
PID 4760 set thread context of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe

pid	process
4400	e58bbe8181fc690e1b6d806514afaa6d.exe
4400	e58bbe8181fc690e1b6d806514afaa6d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

e58bbe8181fc690e1b6d806514afaa6d.exe

description	pid	process	target process
PID 4760 wrote to memory of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe
PID 4760 wrote to memory of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe
PID 4760 wrote to memory of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe
PID 4760 wrote to memory of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe
PID 4760 wrote to memory of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe
PID 4760 wrote to memory of 4400	4760	e58bbe8181fc690e1b6d806514afaa6d.exe	e58bbe8181fc690e1b6d806514afaa6d.exe

C:\Users\Admin\AppData\Local\Temp\e58bbe8181fc690e1b6d806514afaa6d.exe
"C:\Users\Admin\AppData\Local\Temp\e58bbe8181fc690e1b6d806514afaa6d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4760

C:\Users\Admin\AppData\Local\Temp\e58bbe8181fc690e1b6d806514afaa6d.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4400

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4400-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4400-12-0x000000000041EB60-mapping.dmp

Download
memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp

Filesize
6.9MB

Download
memory/4760-3-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4760-5-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4760-6-0x0000000004FB0000-0x0000000004FB1000-memory.dmp

Filesize
4KB

Download
memory/4760-7-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/4760-8-0x00000000050C0000-0x00000000050CE000-memory.dmp

Filesize
56KB

Download
memory/4760-9-0x0000000007360000-0x00000000073F3000-memory.dmp

Filesize
588KB

Download
memory/4760-10-0x00000000074A0000-0x00000000074A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing