formbook | 14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd

General

Target

1b415a56616a9f7c2e37fc2ce570664f.exe
Size

884KB
MD5

1b415a56616a9f7c2e37fc2ce570664f
SHA1

2e7a5b8378e9a0e5fd7f5a8321af4d128ef2a1a3
SHA256

14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd
SHA512

e77e25ffeae630cc2413fd969462a7fd019738f2981b4304ab6ba4cc5bb9530db3f1210c5cb90665529f6c25c03f6a63362362a18e6bb801edeccc979a0f711b

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.lifeafterbobby.com/vn3b/

Decoy

rowenglobal.com

abrirumaempresa.com

videosbet.xyz

blackbettyxt.com

trust-red.net

sonyalpharunors.com

shiqichaoji.com

allex-ru.com

totalpowerpc.store

ptocom.com

quantumsai.club

toughcookie.love

nivafitness.com

bioskopmovie21.com

giatsaygiare.com

xiongmaojingxuan.com

zjjly88.com

trampmotorsports.com

pibblekibble.com

mymounntnittanyhealth.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/2388-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/2388-126-0x000000000041EB70-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3540 set thread context of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2388	1b415a56616a9f7c2e37fc2ce570664f.exe
2388	1b415a56616a9f7c2e37fc2ce570664f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3540 wrote to memory of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78
PID 3540 wrote to memory of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78
PID 3540 wrote to memory of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78
PID 3540 wrote to memory of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78
PID 3540 wrote to memory of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78
PID 3540 wrote to memory of 2388	3540	1b415a56616a9f7c2e37fc2ce570664f.exe	78

C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe
"C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3540
- C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe
  "C:\Users\Admin\AppData\Local\Temp\1b415a56616a9f7c2e37fc2ce570664f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2388

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2388-128-0x0000000000F40000-0x0000000001260000-memory.dmp

Filesize
3.1MB

Download
memory/3540-121-0x00000000057B0000-0x000000000584C000-memory.dmp

Filesize
624KB

Download
memory/3540-119-0x0000000005860000-0x0000000005861000-memory.dmp

Filesize
4KB

Download
memory/3540-120-0x0000000005B10000-0x0000000005B11000-memory.dmp

Filesize
4KB

Download
memory/3540-114-0x0000000000F60000-0x0000000000F61000-memory.dmp

Filesize
4KB

Download
memory/3540-122-0x0000000005CF0000-0x0000000005CFF000-memory.dmp

Filesize
60KB

Download
memory/3540-123-0x00000000090D0000-0x000000000914A000-memory.dmp

Filesize
488KB

Download
memory/3540-124-0x000000000B720000-0x000000000B761000-memory.dmp

Filesize
260KB

Download
memory/3540-118-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/3540-117-0x0000000005E40000-0x0000000005E41000-memory.dmp

Filesize
4KB

Download
memory/3540-116-0x00000000058A0000-0x00000000058A1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing