formbook | 8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2

General

Target

8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
Size

1.0MB
MD5

232a964f2335bd594cc991d75b5794e1
SHA1

40b0c49f9cb93c9537662c948efe09ee1293491e
SHA256

8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2
SHA512

8583a71e22bbc5cf0ed61358d7237d14bac712ab5e281854717a3fcfec7388d214d9fca564455f1efa3934956d6af4c5a27391ccb9c312dc95b38f56361b012b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

C2

http://www.paniciagency.com/n6sn/

Decoy

siearrasmission.com

exploringcharlotte.com

michaelthomasgunn.com

automationmarketers.com

vynxcl3kv3.com

df2229.com

vazivaimmo.net

usful.info

vescuderoabogados.com

janidevco.com

newshum.com

teamworkgod.com

snowwayconstruction.com

s8fyit.com

economicidentity.com

jennysay.com

gamoauction.com

thebooksofblood.com

graymatter-bi.com

newtownquick.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1548-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/1548-15-0x000000000041ED20-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe

description	pid	process	target process
PID 3284 set thread context of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe

pid	process
1548	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
1548	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe

description	pid	process	target process
PID 3284 wrote to memory of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
PID 3284 wrote to memory of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
PID 3284 wrote to memory of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
PID 3284 wrote to memory of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
PID 3284 wrote to memory of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
PID 3284 wrote to memory of 1548	3284	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe	8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe

C:\Users\Admin\AppData\Local\Temp\8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
"C:\Users\Admin\AppData\Local\Temp\8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3284

C:\Users\Admin\AppData\Local\Temp\8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe
"C:\Users\Admin\AppData\Local\Temp\8ea59257ca1ccc0d6680d184a985dff22180e056aec54b3afd3ed2c3ad3bc4d2.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1548-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1548-17-0x00000000010E0000-0x0000000001400000-memory.dmp

Filesize
3.1MB

Download
memory/1548-15-0x000000000041ED20-mapping.dmp

Download
memory/3284-9-0x0000000005570000-0x0000000005571000-memory.dmp

Filesize
4KB

Download
memory/3284-7-0x00000000053B0000-0x00000000053B1000-memory.dmp

Filesize
4KB

Download
memory/3284-8-0x0000000005330000-0x0000000005331000-memory.dmp

Filesize
4KB

Download
memory/3284-2-0x00000000733A0000-0x0000000073A8E000-memory.dmp

Filesize
6.9MB

Download
memory/3284-10-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/3284-11-0x0000000005640000-0x0000000005641000-memory.dmp

Filesize
4KB

Download
memory/3284-12-0x0000000005520000-0x0000000005543000-memory.dmp

Filesize
140KB

Download
memory/3284-13-0x00000000064D0000-0x0000000006536000-memory.dmp

Filesize
408KB

Download
memory/3284-6-0x0000000005810000-0x0000000005811000-memory.dmp

Filesize
4KB

Download
memory/3284-5-0x0000000005270000-0x0000000005271000-memory.dmp

Filesize
4KB

Download
memory/3284-3-0x0000000000970000-0x0000000000971000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads