formbook | d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e

General

Target

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
Size

404KB
MD5

ac889675aa282449205f31cd4f46f3d6
SHA1

50115144e96337ed3bfe27480a82300002310400
SHA256

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e
SHA512

3a32641a515063fa9d062fa78a778f5f05088707af2a431904c37a0d772145e02617a172be9a74fe65c64b4b3e3dcca82aedf351ccbc4bb5b22e29a0ad6742dd

Score

10^/10

formbook jy93 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy93

Decoy

alexito.space

shitsthebalm.com

margaritavillemelbourne.com

vonahk.xyz

1960lawn.com

augustacrim.com

bancopec.com

batrainingstudio.com

kokofleks.store

w4-form-irs.com

putnamob.com

mickeysmotors.com

8181yd.com

wedmecreation.com

mischianti.com

gskpop.com

douvip303.com

unlimitedlyfestylez.com

originophthalmics.com

oandazx86.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1828-61-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

description	pid	process	target process
PID 1308 set thread context of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

pid process

1828 d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

pid	process
1828	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

description	pid	process	target process
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 1308 wrote to memory of 1828	1308	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
"C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1308

C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
"C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1828

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1308-54-0x0000000000120000-0x000000000018C000-memory.dmp

Filesize
432KB

Download
memory/1308-55-0x0000000076071000-0x0000000076073000-memory.dmp

Filesize
8KB

Download
memory/1308-56-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/1308-57-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1308-58-0x00000000050A0000-0x000000000510A000-memory.dmp

Filesize
424KB

Download
memory/1828-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1828-62-0x0000000000820000-0x0000000000B23000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads