formbook | 0be852dc052384c403f96e94c0f681c8d4b2429dbb413f9abe896e39f5cb7285

General

Target

6e7eb23ed6f49f777c799e851872e00a.exe
Size

408KB
MD5

6e7eb23ed6f49f777c799e851872e00a
SHA1

f1a1b891df9ad7850160459493f467534065e150
SHA256

0be852dc052384c403f96e94c0f681c8d4b2429dbb413f9abe896e39f5cb7285
SHA512

fcf32c873bfd8a32b985b671fb94f582dc2562cb59cc7bd20ce6523924958e8e191dbc53fb2c61af36c7f211e0df6c4dcdda04fd0e8a3ea33dc14f263df14b5b

Score

10^/10

formbook fezu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fezu

Decoy

palisadeshiking.com

lusteror.com

blogmisaficiones.com

firstprinciplesteam.com

theindoorfarmer.info

sddn55.xyz

womensclothingonlineshop.com

amourneim.com

getlumichargeserver.com

mynegociodev.com

xn--riq159j.com

the-social-hub.com

buypremiumvpn.xyz

brightnes.info

catmanshopper.com

michellepalacdesigns.com

moveventurecapital.com

nzhzygba.com

papahungry.com

electric-classic-bike.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2036-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6e7eb23ed6f49f777c799e851872e00a.exe

description pid process target process

PID 1108 set thread context of 2036 1108 6e7eb23ed6f49f777c799e851872e00a.exe 6e7eb23ed6f49f777c799e851872e00a.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6e7eb23ed6f49f777c799e851872e00a.exe6e7eb23ed6f49f777c799e851872e00a.exe

pid process

1108 6e7eb23ed6f49f777c799e851872e00a.exe
2036 6e7eb23ed6f49f777c799e851872e00a.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6e7eb23ed6f49f777c799e851872e00a.exe

description pid process

Token: SeDebugPrivilege 1108 6e7eb23ed6f49f777c799e851872e00a.exe

description	pid	process	target process
PID 1108 set thread context of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe

pid	process
1108	6e7eb23ed6f49f777c799e851872e00a.exe
2036	6e7eb23ed6f49f777c799e851872e00a.exe

description	pid	process
Token: SeDebugPrivilege	1108	6e7eb23ed6f49f777c799e851872e00a.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

6e7eb23ed6f49f777c799e851872e00a.exe

description	pid	process	target process
PID 1108 wrote to memory of 1568	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 1568	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 1568	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 1568	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe
PID 1108 wrote to memory of 2036	1108	6e7eb23ed6f49f777c799e851872e00a.exe	6e7eb23ed6f49f777c799e851872e00a.exe

C:\Users\Admin\AppData\Local\Temp\6e7eb23ed6f49f777c799e851872e00a.exe
"C:\Users\Admin\AppData\Local\Temp\6e7eb23ed6f49f777c799e851872e00a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1108

C:\Users\Admin\AppData\Local\Temp\6e7eb23ed6f49f777c799e851872e00a.exe
"C:\Users\Admin\AppData\Local\Temp\6e7eb23ed6f49f777c799e851872e00a.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\6e7eb23ed6f49f777c799e851872e00a.exe
"C:\Users\Admin\AppData\Local\Temp\6e7eb23ed6f49f777c799e851872e00a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2036

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-55-0x0000000000950000-0x00000000009BC000-memory.dmp

Filesize
432KB

Download
memory/1108-56-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/1108-57-0x0000000004890000-0x0000000004891000-memory.dmp

Filesize
4KB

Download
memory/1108-58-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/1108-59-0x00000000056F0000-0x000000000575A000-memory.dmp

Filesize
424KB

Download
memory/2036-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2036-63-0x0000000000B50000-0x0000000000E53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing