formbook | 459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a

General

Target

30960d3f020c7f741a8ef2a0dc78013c.exe
Size

400KB
MD5

30960d3f020c7f741a8ef2a0dc78013c
SHA1

e7365401cedd20b086cdb9030238baf130edb0bb
SHA256

459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
SHA512

beb0475cc8bef1cb9ecc5917f4ac26610de0dcfb46560aa8a7557d6d505bbc5173f2a59798f80775c90f27b65b911ecbbe5100248c64300c106d423ebcad1198

Score

10^/10

formbook cw22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cw22

Decoy

betvoy206.com

nftstoners.com

tirupatibuilder.com

gulldesigns.com

shemhq.com

boricosmetic.com

bitcoinbillionaireboy.com

theflypaperplanes.com

retrocartours.com

yangzhie326.com

cheepchain.com

sentryr.com

luckirentalhomes.com

pointssquashers.com

dianasarabiantreasures.com

calendarsilo.com

sublike21.xyz

gajubg0up.xyz

lousfoodreviews.com

fades.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/784-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe

description pid process target process

PID 1316 set thread context of 784 1316 30960d3f020c7f741a8ef2a0dc78013c.exe 30960d3f020c7f741a8ef2a0dc78013c.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe

pid process

784 30960d3f020c7f741a8ef2a0dc78013c.exe

description	pid	process	target process
PID 1316 set thread context of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe

pid	process
784	30960d3f020c7f741a8ef2a0dc78013c.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe

description	pid	process	target process
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 1316 wrote to memory of 784	1316	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe

C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe
"C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1316

C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe
"C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:784

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/784-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/784-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1316-55-0x00000000011D0000-0x000000000123A000-memory.dmp

Filesize
424KB

Download
memory/1316-56-0x0000000074B21000-0x0000000074B23000-memory.dmp

Filesize
8KB

Download
memory/1316-57-0x0000000004F20000-0x0000000004F21000-memory.dmp

Filesize
4KB

Download
memory/1316-58-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1316-59-0x0000000005270000-0x00000000052DA000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing