formbook | 22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900

General

Target

22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
Size

740KB
MD5

0015796b2a88979a2d99752004891750
SHA1

d2e1b419e9081f79ac8005e7d9ef719705efcff8
SHA256

22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900
SHA512

e8b2cad37e22f15b8650fa24812164c7c1e964852e7aabf706f445dc9c96d85368e2b5b3e74b041b0785d9005f56f573f0889c1d8aa737facba85f19237e563c

Score

10^/10

formbook h27 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h27

Decoy

2017shoe.store

my-heart.info

bienesenmetros.com

imdanielleberry.com

francescoserio.com

brooklynbeverage.net

mailclickitautoandrv.com

saoliankeji.com

culturo.biz

xsqsb.com

punctuated.media

adhdpicturelab.com

socialsteep.com

enepalgunj.com

accommodation.deals

nishmithapatla.com

mitt.email

eshopworkshop.com

gomesenterprises.com

ooll4v.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3756-133-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/3756-136-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3756	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
3756	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82
PID 4504 wrote to memory of 3756	4504	22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe	82

C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
"C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4504
- C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe
  "C:\Users\Admin\AppData\Local\Temp\22456acfdcb04fab3ca55ee4767c57b1a117697c6696a117573d892843122900.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3756-135-0x0000000000A50000-0x0000000000D9A000-memory.dmp

Filesize
3.3MB

Download
memory/3756-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4504-132-0x0000000005440000-0x0000000005446000-memory.dmp

Filesize
24KB

Download
memory/4504-134-0x0000000005440000-0x0000000005446000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing