formbook | 95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888

General

Target

95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe
Size

727KB
MD5

0d435fc2005ce7e69f850cc3e57712e3
SHA1

abf6796e578328c841042a14fe58300733fd0556
SHA256

95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888
SHA512

598426ab19450153c68abbda02755849d9bfc741a3d370501c95fc9c913d626f9e118c5852045a331b1d4aeef20ba9d811b328a4e2a0bf84c1c414bb3b79f756

Score

10^/10

formbook metastealer gae rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gae

Decoy

haolexin.com

mediatradeprofiles.com

336540.com

khive.team

itbossinc.com

appantoniojoin.com

fleetalfa.com

szwrites.com

developistanbul.com

harrybuyshomes4fastcash.com

homelandmarkets.com

911directpp.com

bipocamerica.com

imperialdesignonline.com

covid-19tablets.info

tutorquranonline.com

dataaisummit.com

learn-interviewskills.com

trijayatekniktama.com

bulbalabs.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Meta Stealer Stealer
Meta Stealer steals passwords stored in browsers, written in C++.
stealer metastealer

Formbook Payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1596-131-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2192 set thread context of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe
1596	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe
1596	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93
PID 2192 wrote to memory of 1596	2192	95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe	93

C:\Users\Admin\AppData\Local\Temp\95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe
"C:\Users\Admin\AppData\Local\Temp\95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2192
- C:\Users\Admin\AppData\Local\Temp\95e46bda24b5240f0ee2c70793709836c568d27da06b7393c7ed5cb4d5f4d888.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1596-131-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1596-132-0x0000000001350000-0x000000000169A000-memory.dmp

Filesize
3.3MB

Download
memory/2192-124-0x0000000000A30000-0x0000000000AEC000-memory.dmp

Filesize
752KB

Download
memory/2192-125-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/2192-126-0x0000000005380000-0x0000000005412000-memory.dmp

Filesize
584KB

Download
memory/2192-127-0x0000000005370000-0x000000000537A000-memory.dmp

Filesize
40KB

Download
memory/2192-128-0x0000000007CE0000-0x000000000820C000-memory.dmp

Filesize
5.2MB

Download
memory/2192-129-0x00000000082B0000-0x000000000834C000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing