formbook | 182fd1343975d43f456f199f379210d562d15ea3c8e4c7bd59899d75c18a2fe9

General

Target

806f81ab862618774ee7a5a197af916c.exe
Size

968KB
MD5

806f81ab862618774ee7a5a197af916c
SHA1

347c8bea6d0434f82ee7332d8b59705314e0e49a
SHA256

182fd1343975d43f456f199f379210d562d15ea3c8e4c7bd59899d75c18a2fe9
SHA512

7d93b04da992cba93e29e69fa548c9415a9a22b9f3d7a357e2271c622cf73c11479c373102b9d2f10b255ade8e8874c2729be1b1ea968c31a0b9126630b6d3ec

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.aftabzahur.com/wgn/

Decoy

kokokara-life-blog.com

faswear.com

futureleadershiptoday.com

date4done.xyz

thecouponinn.com

bbeycarpetsf.com

propolisnasalspray.com

jinjudiamond.com

goodevectors.com

nehyam.com

evalinkapuppets.com

what-if-statistics.com

rateofrisk.com

impacttestonlinne.com

servis-kaydet.info

coloniacafe.com

marcemarketing.com

aarigging.com

goddesswitchery.com

jasqblo.icu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1136-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1136-13-0x000000000041EAC0-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

806f81ab862618774ee7a5a197af916c.exe

description pid process target process

PID 3932 set thread context of 1136 3932 806f81ab862618774ee7a5a197af916c.exe 806f81ab862618774ee7a5a197af916c.exe

description	pid	process	target process
PID 3932 set thread context of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

806f81ab862618774ee7a5a197af916c.exe806f81ab862618774ee7a5a197af916c.exe

pid	process
3932	806f81ab862618774ee7a5a197af916c.exe
3932	806f81ab862618774ee7a5a197af916c.exe
1136	806f81ab862618774ee7a5a197af916c.exe
1136	806f81ab862618774ee7a5a197af916c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

806f81ab862618774ee7a5a197af916c.exe

description pid process

Token: SeDebugPrivilege 3932 806f81ab862618774ee7a5a197af916c.exe

description	pid	process
Token: SeDebugPrivilege	3932	806f81ab862618774ee7a5a197af916c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

806f81ab862618774ee7a5a197af916c.exe

description	pid	process	target process
PID 3932 wrote to memory of 1952	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1952	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1952	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe
PID 3932 wrote to memory of 1136	3932	806f81ab862618774ee7a5a197af916c.exe	806f81ab862618774ee7a5a197af916c.exe

C:\Users\Admin\AppData\Local\Temp\806f81ab862618774ee7a5a197af916c.exe
"C:\Users\Admin\AppData\Local\Temp\806f81ab862618774ee7a5a197af916c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3932

C:\Users\Admin\AppData\Local\Temp\806f81ab862618774ee7a5a197af916c.exe
"{path}"
2⤵
PID:1952

C:\Users\Admin\AppData\Local\Temp\806f81ab862618774ee7a5a197af916c.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1136

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1136-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1136-13-0x000000000041EAC0-mapping.dmp

Download
memory/1136-15-0x0000000001440000-0x0000000001760000-memory.dmp

Filesize
3.1MB

Download
memory/3932-2-0x0000000073300000-0x00000000739EE000-memory.dmp

Filesize
6.9MB

Download
memory/3932-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3932-5-0x0000000005010000-0x0000000005011000-memory.dmp

Filesize
4KB

Download
memory/3932-6-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/3932-7-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/3932-8-0x0000000004D80000-0x0000000004D8E000-memory.dmp

Filesize
56KB

Download
memory/3932-9-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/3932-10-0x0000000006920000-0x000000000696C000-memory.dmp

Filesize
304KB

Download
memory/3932-11-0x0000000007010000-0x0000000007011000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads