formbook | 8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae

General

Target

8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
Size

778KB
MD5

09106fd4669886c1de4e049bb57e1228
SHA1

21af8e129c05e0cbbf33f4e155d4ebbfcaaa2155
SHA256

8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae
SHA512

1ca4f90efac305a0bce470263e2e6cff45e28029540123db54f9e5461ec4ae099f95384deade9c4160f9eea18c31d4b156513ee4ef628a99380af831d6383505

Score

10^/10

formbook jy93 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy93

Decoy

alexito.space

shitsthebalm.com

margaritavillemelbourne.com

vonahk.xyz

1960lawn.com

augustacrim.com

bancopec.com

batrainingstudio.com

kokofleks.store

w4-form-irs.com

putnamob.com

mickeysmotors.com

8181yd.com

wedmecreation.com

mischianti.com

gskpop.com

douvip303.com

unlimitedlyfestylez.com

originophthalmics.com

oandazx86.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3884-123-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe

description	pid	process	target process
PID 2612 set thread context of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe

pid	process
3884	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
3884	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe

description	pid	process	target process
PID 2612 wrote to memory of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
PID 2612 wrote to memory of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
PID 2612 wrote to memory of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
PID 2612 wrote to memory of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
PID 2612 wrote to memory of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
PID 2612 wrote to memory of 3884	2612	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe	8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe

C:\Users\Admin\AppData\Local\Temp\8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
"C:\Users\Admin\AppData\Local\Temp\8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2612

C:\Users\Admin\AppData\Local\Temp\8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe
"C:\Users\Admin\AppData\Local\Temp\8323bfa811d207521f4e833af08813c6a4431f9c28f6d07279b656a6a60e57ae.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3884

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2612-115-0x00000000005B0000-0x0000000000678000-memory.dmp

Filesize
800KB

Download
memory/2612-116-0x0000000005510000-0x0000000005A0E000-memory.dmp

Filesize
5.0MB

Download
memory/2612-117-0x0000000004EB0000-0x0000000004F42000-memory.dmp

Filesize
584KB

Download
memory/2612-118-0x0000000005010000-0x000000000550E000-memory.dmp

Filesize
5.0MB

Download
memory/2612-119-0x0000000004F50000-0x0000000004F5A000-memory.dmp

Filesize
40KB

Download
memory/2612-120-0x0000000005210000-0x000000000521C000-memory.dmp

Filesize
48KB

Download
memory/2612-121-0x00000000078A0000-0x000000000793C000-memory.dmp

Filesize
624KB

Download
memory/2612-122-0x0000000007B60000-0x0000000007BCA000-memory.dmp

Filesize
424KB

Download
memory/3884-123-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3884-124-0x0000000001180000-0x00000000014A0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads