formbook | 8aa346b87c8d3d53fb5265cd0c04bbd3c8c978b7e1eb7b2e0958c078322d75e9

General

Target

b87f81920e06301937deb513ff65bf91.exe
Size

403KB
MD5

b87f81920e06301937deb513ff65bf91
SHA1

cbe9ee020d5fad93b49784f6707614804f3f8ce2
SHA256

8aa346b87c8d3d53fb5265cd0c04bbd3c8c978b7e1eb7b2e0958c078322d75e9
SHA512

edafb5cd221b340ab2b5b9c9a00d087b0a80d35bd9f07c073fc5ffb0eb4f7360f5751fbf04974ce1e94a39d649fbc7c5efd5b5400c2a255e8b9e01e2964eff27

Score

10^/10

formbook s18y rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s18y

C2

http://www.agentpathleurre.space/s18y/

Decoy

jokes-online.com

dzzdjn.com

lizzieerhardtebnaryepptts.com

interfacehand.xyz

sale-m.site

block-facebook.com

dicasdamadrinha.com

maythewind.com

hasari.net

omnists.com

thevalley-eg.com

rdfj.xyz

szhfcy.com

alkalineage.club

fdf.xyz

absorplus.com

poldolongo.com

badassshirts.club

ferienwohnungenmv.com

bilboondokoak.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1548-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1548-62-0x000000000041F120-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

b87f81920e06301937deb513ff65bf91.exe

description pid process target process

PID 1060 set thread context of 1548 1060 b87f81920e06301937deb513ff65bf91.exe b87f81920e06301937deb513ff65bf91.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

b87f81920e06301937deb513ff65bf91.exe

pid process

1548 b87f81920e06301937deb513ff65bf91.exe

description	pid	process	target process
PID 1060 set thread context of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe

pid	process
1548	b87f81920e06301937deb513ff65bf91.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

b87f81920e06301937deb513ff65bf91.exe

description	pid	process	target process
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe
PID 1060 wrote to memory of 1548	1060	b87f81920e06301937deb513ff65bf91.exe	b87f81920e06301937deb513ff65bf91.exe

C:\Users\Admin\AppData\Local\Temp\b87f81920e06301937deb513ff65bf91.exe
"C:\Users\Admin\AppData\Local\Temp\b87f81920e06301937deb513ff65bf91.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\b87f81920e06301937deb513ff65bf91.exe
"C:\Users\Admin\AppData\Local\Temp\b87f81920e06301937deb513ff65bf91.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1548

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1060-54-0x0000000000EB0000-0x0000000000EB1000-memory.dmp

Filesize
4KB

Download
memory/1060-56-0x00000000008C0000-0x00000000008C6000-memory.dmp

Filesize
24KB

Download
memory/1060-57-0x00000000008E0000-0x00000000008E1000-memory.dmp

Filesize
4KB

Download
memory/1060-58-0x0000000005A30000-0x0000000005A80000-memory.dmp

Filesize
320KB

Download
memory/1548-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1548-62-0x000000000041F120-mapping.dmp

Download
memory/1548-63-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing