formbook | f198ab80b865300fc6721e506292ddbe21d18004daec3f567c53fd9e2d86dc7f

General

Target

3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
Size

888KB
MD5

3ecdafd3c19efbfc4f06d5d2aefd02b8
SHA1

808ab748f5fee7b4f5b802a89b1e3ac44e47fdd1
SHA256

f198ab80b865300fc6721e506292ddbe21d18004daec3f567c53fd9e2d86dc7f
SHA512

99098adfaa9358d10ccd47b63631b0369fb8bdd4a95714c2611d2668e9aba20c3671bb42af59ec773470e1297f13d28ccf09d8280a3b2e1cdb9dbce920526523

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hai96.com/lvno/

Decoy

pennilanecompany.com

doshjpft.icu

avolveathlete.com

infinixinfo.com

boforpresident.com

tepeyaccafe.com

psontour.com

bootyandbeauty.com

saisdgiveaway.com

pokebrostogo.com

pizzafromsky.com

cobroking.site

greisslerbox.com

twittletweet.com

xwbcm817.xyz

100hougong.com

fdn2018.com

bestrankedstuff.com

astralmotivations.com

gottagowalkies.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3736-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3736-126-0x000000000041EB20-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

description pid process target process

PID 2388 set thread context of 3736 2388 3ecdafd3c19efbfc4f06d5d2aefd02b8.exe 3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

description	pid	process	target process
PID 2388 set thread context of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

3ecdafd3c19efbfc4f06d5d2aefd02b8.exe3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

pid	process
2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
3736	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
3736	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

description pid process

Token: SeDebugPrivilege 2388 3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

description	pid	process
Token: SeDebugPrivilege	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

description	pid	process	target process
PID 2388 wrote to memory of 3396	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3396	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3396	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3292	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3292	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3292	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
PID 2388 wrote to memory of 3736	2388	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe	3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2388

C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe"
2⤵
PID:3396

C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe"
2⤵
PID:3292

C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
"C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3736

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2388-114-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2388-116-0x0000000004C90000-0x0000000004C91000-memory.dmp

Filesize
4KB

Download
memory/2388-117-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/2388-118-0x0000000004D30000-0x0000000004D31000-memory.dmp

Filesize
4KB

Download
memory/2388-119-0x0000000004BF0000-0x0000000004BF1000-memory.dmp

Filesize
4KB

Download
memory/2388-120-0x0000000004EF0000-0x0000000004EF1000-memory.dmp

Filesize
4KB

Download
memory/2388-121-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/2388-122-0x00000000050E0000-0x00000000050EF000-memory.dmp

Filesize
60KB

Download
memory/2388-123-0x0000000008490000-0x000000000850C000-memory.dmp

Filesize
496KB

Download
memory/2388-124-0x000000000AAE0000-0x000000000AB21000-memory.dmp

Filesize
260KB

Download
memory/3736-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3736-126-0x000000000041EB20-mapping.dmp

Download
memory/3736-128-0x0000000001900000-0x0000000001C20000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads