formbook | 2efbb8abb0745a78dba6bdd6137619d948b47b352ab95732f00471831f95ad6d

General

Target

0987654345690987654356787654.exe
Size

647KB
MD5

8de5c116b2cde266b707582ade061a55
SHA1

21a6a11acfcd3c975efacf067d8b9db96072246c
SHA256

2efbb8abb0745a78dba6bdd6137619d948b47b352ab95732f00471831f95ad6d
SHA512

f50236d58dfb2c0670101b97e57fb780a48e0cddf34a60d28057f5cf9e6cfe91d1e87851c08de00480750977bb503596aedb51b1c06fea80a2057f4c1f4536fa

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.btyaning.com/mpr/

Decoy

314278.com

tantradarsan.com

benefitlmc.com

enterprisedisruptors.com

shoptesa.com

yourvirtualjob.com

queencz.com

meddypro.com

sarahcasias.com

mhrcbxnuwf.com

elgoldetuvida.com

veeyvmgwh.icu

virtualpos.info

handymanlothian.com

shopbond.com

21att.com

fluffbylaww.com

mcintyreanddodd.com

familycq.com

spareprelude.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3640-124-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3640-125-0x000000000041EA90-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

0987654345690987654356787654.exe

description pid process target process

PID 4432 set thread context of 3640 4432 0987654345690987654356787654.exe 0987654345690987654356787654.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0987654345690987654356787654.exe

pid process

3640 0987654345690987654356787654.exe
3640 0987654345690987654356787654.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

0987654345690987654356787654.exe

description pid process

Token: SeDebugPrivilege 4432 0987654345690987654356787654.exe

description	pid	process	target process
PID 4432 set thread context of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe

pid	process
3640	0987654345690987654356787654.exe
3640	0987654345690987654356787654.exe

description	pid	process
Token: SeDebugPrivilege	4432	0987654345690987654356787654.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

0987654345690987654356787654.exe

description	pid	process	target process
PID 4432 wrote to memory of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe
PID 4432 wrote to memory of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe
PID 4432 wrote to memory of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe
PID 4432 wrote to memory of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe
PID 4432 wrote to memory of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe
PID 4432 wrote to memory of 3640	4432	0987654345690987654356787654.exe	0987654345690987654356787654.exe

C:\Users\Admin\AppData\Local\Temp\0987654345690987654356787654.exe
"C:\Users\Admin\AppData\Local\Temp\0987654345690987654356787654.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4432
- C:\Users\Admin\AppData\Local\Temp\0987654345690987654356787654.exe
  "C:\Users\Admin\AppData\Local\Temp\0987654345690987654356787654.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3640-124-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3640-125-0x000000000041EA90-mapping.dmp

Download
memory/3640-127-0x0000000001890000-0x0000000001BB0000-memory.dmp

Filesize
3.1MB

Download
memory/4432-114-0x0000000000E50000-0x0000000000E51000-memory.dmp

Filesize
4KB

Download
memory/4432-116-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/4432-117-0x0000000005740000-0x0000000005741000-memory.dmp

Filesize
4KB

Download
memory/4432-118-0x0000000005880000-0x0000000005881000-memory.dmp

Filesize
4KB

Download
memory/4432-119-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/4432-120-0x0000000005870000-0x0000000005874000-memory.dmp

Filesize
16KB

Download
memory/4432-121-0x0000000005740000-0x0000000005C3E000-memory.dmp

Filesize
5.0MB

Download
memory/4432-122-0x00000000016D0000-0x000000000174D000-memory.dmp

Filesize
500KB

Download
memory/4432-123-0x0000000006280000-0x00000000062B8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing