formbook | 59193ea2bc603f875f795f48d8c2711ad6e4321853e881691f180192e6f29f77

General

Target

dd76e3a7854555bf0a76aff66d6e75e8.exe
Size

476KB
MD5

dd76e3a7854555bf0a76aff66d6e75e8
SHA1

48fe64eeb38728c58443ace7df337f8905823437
SHA256

59193ea2bc603f875f795f48d8c2711ad6e4321853e881691f180192e6f29f77
SHA512

6d2fbe0b4efa6606c3321d5a5c119a02d04479852165307315eaf6ffeeaf390b6413a833754d4a73895a996e600ab4dd0dae85adcc237ce399cc3aa6720cd6d1

Score

10^/10

formbook a83r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a83r

Decoy

comercializadoralonso.com

durhamschoolservces.com

onegreencapital.com

smartcities24.com

maquinas.store

brianlovesbonsai.com

xin41518s.com

moneyearnus.xyz

be-mix.com

fengyat.club

inspectdecided.xyz

paksafpakistan.com

orhidlnt.top

princesuraj.com

vietnamvodka.com

renewnow.site

imageservices.xyz

luxurytravelfranchise.com

kp112.red

royalyorkfirewood.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3324-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3324-125-0x000000000041F170-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

dd76e3a7854555bf0a76aff66d6e75e8.exe

description pid process target process

PID 2356 set thread context of 3324 2356 dd76e3a7854555bf0a76aff66d6e75e8.exe dd76e3a7854555bf0a76aff66d6e75e8.exe

description	pid	process	target process
PID 2356 set thread context of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

dd76e3a7854555bf0a76aff66d6e75e8.exedd76e3a7854555bf0a76aff66d6e75e8.exe

pid	process
2356	dd76e3a7854555bf0a76aff66d6e75e8.exe
2356	dd76e3a7854555bf0a76aff66d6e75e8.exe
3324	dd76e3a7854555bf0a76aff66d6e75e8.exe
3324	dd76e3a7854555bf0a76aff66d6e75e8.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

dd76e3a7854555bf0a76aff66d6e75e8.exe

description pid process

Token: SeDebugPrivilege 2356 dd76e3a7854555bf0a76aff66d6e75e8.exe

description	pid	process
Token: SeDebugPrivilege	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

dd76e3a7854555bf0a76aff66d6e75e8.exe

description	pid	process	target process
PID 2356 wrote to memory of 3088	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3088	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3088	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe
PID 2356 wrote to memory of 3324	2356	dd76e3a7854555bf0a76aff66d6e75e8.exe	dd76e3a7854555bf0a76aff66d6e75e8.exe

C:\Users\Admin\AppData\Local\Temp\dd76e3a7854555bf0a76aff66d6e75e8.exe
"C:\Users\Admin\AppData\Local\Temp\dd76e3a7854555bf0a76aff66d6e75e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2356

C:\Users\Admin\AppData\Local\Temp\dd76e3a7854555bf0a76aff66d6e75e8.exe
"C:\Users\Admin\AppData\Local\Temp\dd76e3a7854555bf0a76aff66d6e75e8.exe"
2⤵
PID:3088

C:\Users\Admin\AppData\Local\Temp\dd76e3a7854555bf0a76aff66d6e75e8.exe
"C:\Users\Admin\AppData\Local\Temp\dd76e3a7854555bf0a76aff66d6e75e8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2356-115-0x00000000008D0000-0x00000000008D1000-memory.dmp

Filesize
4KB

Download
memory/2356-117-0x0000000005650000-0x0000000005651000-memory.dmp

Filesize
4KB

Download
memory/2356-118-0x00000000051F0000-0x00000000051F1000-memory.dmp

Filesize
4KB

Download
memory/2356-119-0x0000000005150000-0x000000000564E000-memory.dmp

Filesize
5.0MB

Download
memory/2356-120-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2356-121-0x00000000087B0000-0x00000000087B1000-memory.dmp

Filesize
4KB

Download
memory/2356-122-0x0000000005610000-0x0000000005616000-memory.dmp

Filesize
24KB

Download
memory/2356-123-0x0000000008850000-0x00000000088AF000-memory.dmp

Filesize
380KB

Download
memory/3324-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3324-125-0x000000000041F170-mapping.dmp

Download
memory/3324-126-0x00000000014B0000-0x00000000017D0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads