formbook | 459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a

General

Target

30960d3f020c7f741a8ef2a0dc78013c.exe
Size

400KB
MD5

30960d3f020c7f741a8ef2a0dc78013c
SHA1

e7365401cedd20b086cdb9030238baf130edb0bb
SHA256

459238db7010365ad248cd0c1afa4947a39bf34b47927dd9ea6e77056979842a
SHA512

beb0475cc8bef1cb9ecc5917f4ac26610de0dcfb46560aa8a7557d6d505bbc5173f2a59798f80775c90f27b65b911ecbbe5100248c64300c106d423ebcad1198

Score

10^/10

formbook cw22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cw22

Decoy

betvoy206.com

nftstoners.com

tirupatibuilder.com

gulldesigns.com

shemhq.com

boricosmetic.com

bitcoinbillionaireboy.com

theflypaperplanes.com

retrocartours.com

yangzhie326.com

cheepchain.com

sentryr.com

luckirentalhomes.com

pointssquashers.com

dianasarabiantreasures.com

calendarsilo.com

sublike21.xyz

gajubg0up.xyz

lousfoodreviews.com

fades.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1596-126-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe

description pid process target process

PID 3552 set thread context of 1596 3552 30960d3f020c7f741a8ef2a0dc78013c.exe 30960d3f020c7f741a8ef2a0dc78013c.exe

description	pid	process	target process
PID 3552 set thread context of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe30960d3f020c7f741a8ef2a0dc78013c.exe

pid	process
3552	30960d3f020c7f741a8ef2a0dc78013c.exe
3552	30960d3f020c7f741a8ef2a0dc78013c.exe
1596	30960d3f020c7f741a8ef2a0dc78013c.exe
1596	30960d3f020c7f741a8ef2a0dc78013c.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe

description pid process

Token: SeDebugPrivilege 3552 30960d3f020c7f741a8ef2a0dc78013c.exe

description	pid	process
Token: SeDebugPrivilege	3552	30960d3f020c7f741a8ef2a0dc78013c.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

30960d3f020c7f741a8ef2a0dc78013c.exe

description	pid	process	target process
PID 3552 wrote to memory of 1368	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1368	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1368	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe
PID 3552 wrote to memory of 1596	3552	30960d3f020c7f741a8ef2a0dc78013c.exe	30960d3f020c7f741a8ef2a0dc78013c.exe

C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe
"C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3552

C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe
"C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe"
2⤵
PID:1368

C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe
"C:\Users\Admin\AppData\Local\Temp\30960d3f020c7f741a8ef2a0dc78013c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-126-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-127-0x0000000001320000-0x0000000001640000-memory.dmp

Filesize
3.1MB

Download
memory/3552-118-0x0000000000900000-0x000000000096A000-memory.dmp

Filesize
424KB

Download
memory/3552-119-0x0000000005890000-0x0000000005D8E000-memory.dmp

Filesize
5.0MB

Download
memory/3552-120-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/3552-121-0x0000000005390000-0x000000000588E000-memory.dmp

Filesize
5.0MB

Download
memory/3552-122-0x0000000005450000-0x000000000545A000-memory.dmp

Filesize
40KB

Download
memory/3552-123-0x0000000005520000-0x000000000552C000-memory.dmp

Filesize
48KB

Download
memory/3552-124-0x00000000079E0000-0x0000000007A7C000-memory.dmp

Filesize
624KB

Download
memory/3552-125-0x0000000007B70000-0x0000000007BDA000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads