formbook | 56956d4a429d87ca1a8ad157be0d50add41f68c3ec5571c88bdd6a8e5bc29273

General

Target

79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
Size

716KB
MD5

80a7d8ecbc520bdbb9e92fc0883fc3bf
SHA1

77130d8315019413a3c3f68ca7ebe3b522a41a74
SHA256

79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b
SHA512

1648734c85804a8d6d3af028eb857621e0e8bd130890f28f6e58e36c402226eb76c073c4d8a4c14d5c5103e661965993374e6e7fd599fe8224b149b8023e374e

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.sunderstudios.com/blo/

Decoy

introducingsadieann.com

batterrydaddy.com

restaurantechoytac.digital

toriox.tech

cursosonline.pro

onegreenmother.com

canyonpark-home.com

charleserick9.com

coldavis-81720-1634.com

deliandgyros.com

darrenjmajor.com

chekax.com

twinsepower.com

welinkautollc.com

kimlmontgomery.com

ligature.net

bllbirdcrk.com

happilyeverfi.com

hahdigitalmarketinghelp.com

onecomcall.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1652-65-0x000000000041EB40-mapping.dmp	formbook
behavioral1/memory/1652-64-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

description	pid	process	target process
PID 1888 set thread context of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

pid	process
1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
1652	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

description pid process

Token: SeDebugPrivilege 1888 79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

description	pid	process
Token: SeDebugPrivilege	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

description	pid	process	target process
PID 1888 wrote to memory of 1644	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1644	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1644	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1644	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
PID 1888 wrote to memory of 1652	1888	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe	79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe

C:\Users\Admin\AppData\Local\Temp\79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
"C:\Users\Admin\AppData\Local\Temp\79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1888

C:\Users\Admin\AppData\Local\Temp\79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
"C:\Users\Admin\AppData\Local\Temp\79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe"
2⤵
PID:1644

C:\Users\Admin\AppData\Local\Temp\79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe
"C:\Users\Admin\AppData\Local\Temp\79b58cbefa964dfc78a5fbf12179eeb101912ddce145a68c9142cfbf9cbb120b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1652-65-0x000000000041EB40-mapping.dmp

Download
memory/1652-64-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1652-66-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1888-59-0x0000000010EA0000-0x0000000010EA1000-memory.dmp

Filesize
4KB

Download
memory/1888-61-0x0000000000440000-0x0000000000444000-memory.dmp

Filesize
16KB

Download
memory/1888-62-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/1888-63-0x00000000043C0000-0x000000000441E000-memory.dmp

Filesize
376KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads