formbook | d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e

General

Target

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
Size

404KB
MD5

ac889675aa282449205f31cd4f46f3d6
SHA1

50115144e96337ed3bfe27480a82300002310400
SHA256

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e
SHA512

3a32641a515063fa9d062fa78a778f5f05088707af2a431904c37a0d772145e02617a172be9a74fe65c64b4b3e3dcca82aedf351ccbc4bb5b22e29a0ad6742dd

Score

10^/10

formbook jy93 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy93

Decoy

alexito.space

shitsthebalm.com

margaritavillemelbourne.com

vonahk.xyz

1960lawn.com

augustacrim.com

bancopec.com

batrainingstudio.com

kokofleks.store

w4-form-irs.com

putnamob.com

mickeysmotors.com

8181yd.com

wedmecreation.com

mischianti.com

gskpop.com

douvip303.com

unlimitedlyfestylez.com

originophthalmics.com

oandazx86.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2692-124-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

description	pid	process	target process
PID 648 set thread context of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

pid	process
2692	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
2692	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

description	pid	process	target process
PID 648 wrote to memory of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 648 wrote to memory of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 648 wrote to memory of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 648 wrote to memory of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 648 wrote to memory of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
PID 648 wrote to memory of 2692	648	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe	d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe

C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
"C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe
"C:\Users\Admin\AppData\Local\Temp\d1eddd348ee11e3da00c9f45fa1fb94e3b174c8abe780a7d764bd22f62980e8e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2692

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-116-0x0000000000C00000-0x0000000000C6C000-memory.dmp

Filesize
432KB

Download
memory/648-117-0x0000000005AA0000-0x0000000005F9E000-memory.dmp

Filesize
5.0MB

Download
memory/648-118-0x0000000005640000-0x00000000056D2000-memory.dmp

Filesize
584KB

Download
memory/648-119-0x00000000055A0000-0x0000000005A9E000-memory.dmp

Filesize
5.0MB

Download
memory/648-120-0x00000000055E0000-0x00000000055EA000-memory.dmp

Filesize
40KB

Download
memory/648-121-0x0000000005820000-0x000000000582C000-memory.dmp

Filesize
48KB

Download
memory/648-122-0x0000000007D00000-0x0000000007D9C000-memory.dmp

Filesize
624KB

Download
memory/648-123-0x0000000007F90000-0x0000000007FFA000-memory.dmp

Filesize
424KB

Download
memory/2692-124-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2692-125-0x00000000019F0000-0x0000000001D10000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads