formbook | ddf35d45c7f1257634905c047c8ddfd40e75dcda9ca39a658c00698e25f3db22

General

Target

14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
Size

884KB
MD5

1b415a56616a9f7c2e37fc2ce570664f
SHA1

2e7a5b8378e9a0e5fd7f5a8321af4d128ef2a1a3
SHA256

14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd
SHA512

e77e25ffeae630cc2413fd969462a7fd019738f2981b4304ab6ba4cc5bb9530db3f1210c5cb90665529f6c25c03f6a63362362a18e6bb801edeccc979a0f711b

Score

10^/10

formbook vn3b rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vn3b

C2

http://www.lifeafterbobby.com/vn3b/

Decoy

rowenglobal.com

abrirumaempresa.com

videosbet.xyz

blackbettyxt.com

trust-red.net

sonyalpharunors.com

shiqichaoji.com

allex-ru.com

totalpowerpc.store

ptocom.com

quantumsai.club

toughcookie.love

nivafitness.com

bioskopmovie21.com

giatsaygiare.com

xiongmaojingxuan.com

zjjly88.com

trampmotorsports.com

pibblekibble.com

mymounntnittanyhealth.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3284-125-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/3284-126-0x000000000041EB70-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3284	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
3284	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4016 wrote to memory of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78
PID 4016 wrote to memory of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78
PID 4016 wrote to memory of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78
PID 4016 wrote to memory of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78
PID 4016 wrote to memory of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78
PID 4016 wrote to memory of 3284	4016	14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe	78

C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
"C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4016
- C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe
  "C:\Users\Admin\AppData\Local\Temp\14ebcbc69653d3257eb42c91734bcf2a1ca5dff12c31c06cf955279ea4af5bfd.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3284-125-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3284-127-0x00000000010B0000-0x00000000013D0000-memory.dmp

Filesize
3.1MB

Download
memory/4016-121-0x0000000005260000-0x0000000005261000-memory.dmp

Filesize
4KB

Download
memory/4016-119-0x0000000002A60000-0x0000000002A61000-memory.dmp

Filesize
4KB

Download
memory/4016-120-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

Filesize
4KB

Download
memory/4016-114-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/4016-122-0x00000000029B0000-0x00000000029BF000-memory.dmp

Filesize
60KB

Download
memory/4016-123-0x00000000086C0000-0x000000000873A000-memory.dmp

Filesize
488KB

Download
memory/4016-124-0x0000000008C40000-0x0000000008C81000-memory.dmp

Filesize
260KB

Download
memory/4016-118-0x00000000051C0000-0x00000000051C1000-memory.dmp

Filesize
4KB

Download
memory/4016-117-0x00000000056C0000-0x00000000056C1000-memory.dmp

Filesize
4KB

Download
memory/4016-116-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing