formbook | 14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd

General

Target

1b415a56616a9f7c2e37fc2ce570664f.exe
Size

884KB
MD5

1b415a56616a9f7c2e37fc2ce570664f
SHA1

2e7a5b8378e9a0e5fd7f5a8321af4d128ef2a1a3
SHA256

14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd
SHA512

e77e25ffeae630cc2413fd969462a7fd019738f2981b4304ab6ba4cc5bb9530db3f1210c5cb90665529f6c25c03f6a63362362a18e6bb801edeccc979a0f711b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.lifeafterbobby.com/vn3b/

Decoy

rowenglobal.com

abrirumaempresa.com

videosbet.xyz

blackbettyxt.com

trust-red.net

sonyalpharunors.com

shiqichaoji.com

allex-ru.com

totalpowerpc.store

ptocom.com

quantumsai.club

toughcookie.love

nivafitness.com

bioskopmovie21.com

giatsaygiare.com

xiongmaojingxuan.com

zjjly88.com

trampmotorsports.com

pibblekibble.com

mymounntnittanyhealth.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/764-66-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/764-67-0x000000000041EB70-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

1b415a56616a9f7c2e37fc2ce570664f.exe

description pid process target process

PID 1904 set thread context of 764 1904 1b415a56616a9f7c2e37fc2ce570664f.exe 1b415a56616a9f7c2e37fc2ce570664f.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1b415a56616a9f7c2e37fc2ce570664f.exe1b415a56616a9f7c2e37fc2ce570664f.exe

pid process

1904 1b415a56616a9f7c2e37fc2ce570664f.exe
764 1b415a56616a9f7c2e37fc2ce570664f.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1b415a56616a9f7c2e37fc2ce570664f.exe

description pid process

Token: SeDebugPrivilege 1904 1b415a56616a9f7c2e37fc2ce570664f.exe

description	pid	process	target process
PID 1904 set thread context of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe

pid	process
1904	1b415a56616a9f7c2e37fc2ce570664f.exe
764	1b415a56616a9f7c2e37fc2ce570664f.exe

description	pid	process
Token: SeDebugPrivilege	1904	1b415a56616a9f7c2e37fc2ce570664f.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

1b415a56616a9f7c2e37fc2ce570664f.exe

description	pid	process	target process
PID 1904 wrote to memory of 396	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 396	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 396	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 396	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe
PID 1904 wrote to memory of 764	1904	1b415a56616a9f7c2e37fc2ce570664f.exe	1b415a56616a9f7c2e37fc2ce570664f.exe

C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe
"C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1904

C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe
"C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe"
2⤵
PID:396

C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe
"C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:764

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/764-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/764-67-0x000000000041EB70-mapping.dmp

Download
memory/764-69-0x0000000000CD0000-0x0000000000FD3000-memory.dmp

Filesize
3.0MB

Download
memory/1904-60-0x0000000000900000-0x0000000000901000-memory.dmp

Filesize
4KB

Download
memory/1904-62-0x0000000004D90000-0x0000000004D91000-memory.dmp

Filesize
4KB

Download
memory/1904-63-0x0000000000290000-0x000000000029F000-memory.dmp

Filesize
60KB

Download
memory/1904-64-0x0000000007DF0000-0x0000000007E6A000-memory.dmp

Filesize
488KB

Download
memory/1904-65-0x0000000000500000-0x0000000000541000-memory.dmp

Filesize
260KB

Download

Analysis

Sharing