formbook | 418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb

General

Target

418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
Size

519KB
MD5

2ec3d70225772498f80108a182cce96c
SHA1

6da53a575bb0b6fb0bf43cb08a0d39bf7ba3f70c
SHA256

418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb
SHA512

f8f4c39601fdf1fe6e115c9b423fb89d5225b91eb82b4e758945e7143caef6fae55b3df3cd19940e12160f9ea494c3b464be6c3833254a6a78e5765e429e2322

Score

10^/10

formbook ed9s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ed9s

C2

http://www.vaughnmethod.com/ed9s/

Decoy

pocketoptioniraq.com

merabestsolutions.com

atelectronics.site

fuxueshi.net

infinitystay.com

forensicconcept.site

txpmachine.com

masterwhs.xyz

dia-gnwsis.art

fulltiltnodes.com

bigbnbbsc.com

formation-figma.com

bonanacroin.net

medicalmarijuanasatx.com

bagnavy.com

aaegiscares.net

presentationpublicschool.com

bestyousite.site

prescriptionn.com

beyondthenormbouquets.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2904-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2904-125-0x000000000041F160-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe

description	pid	process	target process
PID 3048 set thread context of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe

pid	process
2904	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
2904	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe

description	pid	process	target process
PID 3048 wrote to memory of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
PID 3048 wrote to memory of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
PID 3048 wrote to memory of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
PID 3048 wrote to memory of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
PID 3048 wrote to memory of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
PID 3048 wrote to memory of 2904	3048	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe	418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe

C:\Users\Admin\AppData\Local\Temp\418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
"C:\Users\Admin\AppData\Local\Temp\418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3048

C:\Users\Admin\AppData\Local\Temp\418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe
"C:\Users\Admin\AppData\Local\Temp\418d0a404118bfad6b0a926c6f8f8fd587d1a8517e92729531139c6bbe0c0ebb.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2904-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2904-125-0x000000000041F160-mapping.dmp

Download
memory/2904-126-0x00000000015B0000-0x00000000018D0000-memory.dmp

Filesize
3.1MB

Download
memory/3048-115-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/3048-117-0x0000000005770000-0x0000000005771000-memory.dmp

Filesize
4KB

Download
memory/3048-118-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3048-119-0x0000000005140000-0x0000000005141000-memory.dmp

Filesize
4KB

Download
memory/3048-120-0x0000000005270000-0x000000000576E000-memory.dmp

Filesize
5.0MB

Download
memory/3048-121-0x0000000005F30000-0x0000000005F37000-memory.dmp

Filesize
28KB

Download
memory/3048-122-0x0000000008E60000-0x0000000008E61000-memory.dmp

Filesize
4KB

Download
memory/3048-123-0x0000000008E10000-0x0000000008E60000-memory.dmp

Filesize
320KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads