formbook | f8f02165547227a6692d503cf1203dcaf2d43b58219bb78cb0e42895f49a8121

General

Target

6a0200a4316e595561f8527e3bcf27bc.exe
Size

925KB
MD5

6a0200a4316e595561f8527e3bcf27bc
SHA1

4c356c914ccdf83b8c89b6a02a2c4a9391094763
SHA256

f8f02165547227a6692d503cf1203dcaf2d43b58219bb78cb0e42895f49a8121
SHA512

af3decd9eaf59e31462fce7cdf36335814151c6c512aa0248d0877c7addbfeccdb530f01a11de1fc47b6d8f5bd1dc506175d9c0d4fd67376cd06da5e89b90470

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4040-128-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4040-129-0x000000000041EBD0-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6a0200a4316e595561f8527e3bcf27bc.exe

description pid process target process

PID 3908 set thread context of 4040 3908 6a0200a4316e595561f8527e3bcf27bc.exe 6a0200a4316e595561f8527e3bcf27bc.exe

description	pid	process	target process
PID 3908 set thread context of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

6a0200a4316e595561f8527e3bcf27bc.exe6a0200a4316e595561f8527e3bcf27bc.exe

pid	process
3908	6a0200a4316e595561f8527e3bcf27bc.exe
3908	6a0200a4316e595561f8527e3bcf27bc.exe
4040	6a0200a4316e595561f8527e3bcf27bc.exe
4040	6a0200a4316e595561f8527e3bcf27bc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6a0200a4316e595561f8527e3bcf27bc.exe

description pid process

Token: SeDebugPrivilege 3908 6a0200a4316e595561f8527e3bcf27bc.exe

description	pid	process
Token: SeDebugPrivilege	3908	6a0200a4316e595561f8527e3bcf27bc.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

6a0200a4316e595561f8527e3bcf27bc.exe

description	pid	process	target process
PID 3908 wrote to memory of 2156	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 2156	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 2156	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe
PID 3908 wrote to memory of 4040	3908	6a0200a4316e595561f8527e3bcf27bc.exe	6a0200a4316e595561f8527e3bcf27bc.exe

C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe
"C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3908

C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe
"C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe"
2⤵
PID:2156

C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe
"C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3908-114-0x00000000005C0000-0x00000000005C1000-memory.dmp

Filesize
4KB

Download
memory/3908-116-0x0000000004F50000-0x0000000004F51000-memory.dmp

Filesize
4KB

Download
memory/3908-117-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/3908-118-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

Filesize
4KB

Download
memory/3908-119-0x0000000004EC0000-0x0000000004EC1000-memory.dmp

Filesize
4KB

Download
memory/3908-120-0x00000000051E0000-0x00000000051E1000-memory.dmp

Filesize
4KB

Download
memory/3908-121-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/3908-122-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/3908-123-0x0000000006D70000-0x0000000006D71000-memory.dmp

Filesize
4KB

Download
memory/3908-124-0x0000000004FF0000-0x00000000054EE000-memory.dmp

Filesize
5.0MB

Download
memory/3908-125-0x0000000006E50000-0x0000000006E6B000-memory.dmp

Filesize
108KB

Download
memory/3908-126-0x0000000006FF0000-0x0000000007065000-memory.dmp

Filesize
468KB

Download
memory/3908-127-0x00000000089E0000-0x0000000008A10000-memory.dmp

Filesize
192KB

Download
memory/4040-128-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4040-129-0x000000000041EBD0-mapping.dmp

Download
memory/4040-130-0x0000000001790000-0x0000000001AB0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads