formbook | 54469ace58ddcfdd6d834574d87003857b0cda05e27a0b8e31cb0b58e6ca105d

General

Target

318c866ef078ec6d9597aaebed8bc370.exe
Size

799KB
MD5

318c866ef078ec6d9597aaebed8bc370
SHA1

4d0008cb7d64f6fb5378672bc4a2edba43546e1f
SHA256

54469ace58ddcfdd6d834574d87003857b0cda05e27a0b8e31cb0b58e6ca105d
SHA512

cd32fd72eda19e8a2210a3b646b21cbee5b722672773a49c0e4dc02fdaad9c9fb99a60326eb1a9589e4b02b3e30eb85e2c5a3b5cfd767155f72fa123f9e68985

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.survivai.com/bsdd/

Decoy

533dh.com

galerisikayet.xyz

tipsyalligator.com

crystalwellnessstudio.com

moovaap.com

lelfie.network

speedy-trips.com

prospectsolucoes.com

24x7customersservice.com

szbinsen.com

shikhardeals.com

totaldenta.com

ayksjx.com

avxrja.online

24kyule888.com

ufaw.net

spinozone.com

castvoicesmsreg.com

lajollawoodworks.com

renetyson.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2152-126-0x000000000041EB30-mapping.dmp	formbook
behavioral2/memory/2152-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3944 set thread context of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3944	318c866ef078ec6d9597aaebed8bc370.exe
3944	318c866ef078ec6d9597aaebed8bc370.exe
3944	318c866ef078ec6d9597aaebed8bc370.exe
3944	318c866ef078ec6d9597aaebed8bc370.exe
3944	318c866ef078ec6d9597aaebed8bc370.exe
3944	318c866ef078ec6d9597aaebed8bc370.exe
2152	318c866ef078ec6d9597aaebed8bc370.exe
2152	318c866ef078ec6d9597aaebed8bc370.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3944	318c866ef078ec6d9597aaebed8bc370.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3944 wrote to memory of 1972	3944	318c866ef078ec6d9597aaebed8bc370.exe	78
PID 3944 wrote to memory of 1972	3944	318c866ef078ec6d9597aaebed8bc370.exe	78
PID 3944 wrote to memory of 1972	3944	318c866ef078ec6d9597aaebed8bc370.exe	78
PID 3944 wrote to memory of 3980	3944	318c866ef078ec6d9597aaebed8bc370.exe	79
PID 3944 wrote to memory of 3980	3944	318c866ef078ec6d9597aaebed8bc370.exe	79
PID 3944 wrote to memory of 3980	3944	318c866ef078ec6d9597aaebed8bc370.exe	79
PID 3944 wrote to memory of 2112	3944	318c866ef078ec6d9597aaebed8bc370.exe	80
PID 3944 wrote to memory of 2112	3944	318c866ef078ec6d9597aaebed8bc370.exe	80
PID 3944 wrote to memory of 2112	3944	318c866ef078ec6d9597aaebed8bc370.exe	80
PID 3944 wrote to memory of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81
PID 3944 wrote to memory of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81
PID 3944 wrote to memory of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81
PID 3944 wrote to memory of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81
PID 3944 wrote to memory of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81
PID 3944 wrote to memory of 2152	3944	318c866ef078ec6d9597aaebed8bc370.exe	81

C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe
"C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3944
- C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe
  "C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe"
  2⤵
  PID:1972
- C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe
  "C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe"
  2⤵
  PID:3980
- C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe
  "C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe"
  2⤵
  PID:2112
- C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe
  "C:\Users\Admin\AppData\Local\Temp\318c866ef078ec6d9597aaebed8bc370.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2152-128-0x00000000012A0000-0x00000000015C0000-memory.dmp

Filesize
3.1MB

Download
memory/2152-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3944-121-0x0000000004EF0000-0x00000000053EE000-memory.dmp

Filesize
5.0MB

Download
memory/3944-119-0x0000000004F00000-0x0000000004F01000-memory.dmp

Filesize
4KB

Download
memory/3944-120-0x0000000005150000-0x0000000005151000-memory.dmp

Filesize
4KB

Download
memory/3944-114-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/3944-122-0x0000000005140000-0x000000000514F000-memory.dmp

Filesize
60KB

Download
memory/3944-123-0x0000000000ED0000-0x0000000000F4E000-memory.dmp

Filesize
504KB

Download
memory/3944-124-0x0000000006E00000-0x0000000006E44000-memory.dmp

Filesize
272KB

Download
memory/3944-118-0x0000000004F90000-0x0000000004F91000-memory.dmp

Filesize
4KB

Download
memory/3944-117-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/3944-116-0x0000000004E10000-0x0000000004E11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing