formbook | f1b8fc3f682366d92c9e28463c7ff61680deda3af51956b72aa37b3fc32ca831

General

Target

b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
Size

601KB
MD5

81326fb3d6db7adb4938d0ea495a7d8e
SHA1

496e10908df973637f53be3556843a9264b55337
SHA256

b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b
SHA512

df895d329084c8e6761c59c6f1cb7b9e78072f74adf610c2f6484025ab2c9c609a627cf0c4230cc46a0ceeb6285ef80a474381a851172f5de7ef0da09474e255

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

C2

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1604-59-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1604-60-0x000000000041F200-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

description	pid	process	target process
PID 844 set thread context of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exeb09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

pid	process
844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
1604	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

description pid process

Token: SeDebugPrivilege 844 b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

description	pid	process
Token: SeDebugPrivilege	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
"C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:844

C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
"C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe"
2⤵
PID:968

C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
"C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe"
2⤵
PID:820

C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
"C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe"
2⤵
PID:976

C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
"C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe"
2⤵
PID:1776

C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
"C:\Users\Admin\AppData\Local\Temp\b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/844-53-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download
memory/844-55-0x0000000004AF0000-0x0000000004AF1000-memory.dmp

Filesize
4KB

Download
memory/844-56-0x0000000000650000-0x000000000066D000-memory.dmp

Filesize
116KB

Download
memory/844-57-0x0000000004FB0000-0x0000000005011000-memory.dmp

Filesize
388KB

Download
memory/844-58-0x0000000002020000-0x0000000002052000-memory.dmp

Filesize
200KB

Download
memory/1604-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-60-0x000000000041F200-mapping.dmp

Download
memory/1604-61-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download

description	pid	process	target process
PID 844 wrote to memory of 968	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 968	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 968	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 968	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 820	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 820	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 820	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 820	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 976	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 976	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 976	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 976	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1776	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1776	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1776	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1776	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe
PID 844 wrote to memory of 1604	844	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe	b09dd6b473d43843832e73642098fca7b9651aa0160046d332fc7d04878c6d6b.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads