formbook | 22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900

General

Target

22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
Size

740KB
MD5

0015796b2a88979a2d99752004891750
SHA1

d2e1b419e9081f79ac8005e7d9ef719705efcff8
SHA256

22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900
SHA512

e8b2cad37e22f15b8650fa24812164c7c1e964852e7aabf706f445dc9c96d85368e2b5b3e74b041b0785d9005f56f573f0889c1d8aa737facba85f19237e563c

Score

10^/10

formbook h27 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h27

Decoy

2017shoe.store

my-heart.info

bienesenmetros.com

imdanielleberry.com

francescoserio.com

brooklynbeverage.net

mailclickitautoandrv.com

saoliankeji.com

culturo.biz

xsqsb.com

punctuated.media

adhdpicturelab.com

socialsteep.com

enepalgunj.com

accommodation.deals

nishmithapatla.com

mitt.email

eshopworkshop.com

gomesenterprises.com

ooll4v.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1380-58-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/1380-60-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1380	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28
PID 1120 wrote to memory of 1380	1120	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	28

C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
"C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
  "C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-56-0x00000000753B1000-0x00000000753B3000-memory.dmp

Filesize
8KB

Download
memory/1120-57-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/1120-59-0x0000000002520000-0x0000000002526000-memory.dmp

Filesize
24KB

Download
memory/1380-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1380-61-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing