formbook | 1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a

General

Target

1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe
Size

744KB
MD5

b008fa1238c06f2948c339816baa3a05
SHA1

660c93249e93100649fcd8812d83c4e61a0acd47
SHA256

1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a
SHA512

ea8816b592e9ae94820fd2a9e2dd389d5f711d9c46c4004c16c5205f20f157721b29bb73f7fa7397843fb67b7d461a6826860c6e24239865d24ed93b25fe093c

Score

10^/10

formbook h28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h28

Decoy

sfhhhh.com

nhamaythaovy.com

ecbullets.com

lostoreadosspecial.online

iamgreatai.com

633osi.info

larsaofrancisco.com

antibakterijski-tepih.com

adiv-rapport.com

ekonominix.com

collectiveaccesscommunity.net

supermall.online

210pe.com

securitylogic.info

akbanksube.biz

rplxal.info

lkpyxn.com

lakecityplayhouse.com

wove.ltd

americanrealestate.loan

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1600-58-0x0000000000000000-mapping.dmp	formbook
behavioral1/memory/1600-60-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1600	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27
PID 1980 wrote to memory of 1600	1980	1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe	27

C:\Users\Admin\AppData\Local\Temp\1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe
"C:\Users\Admin\AppData\Local\Temp\1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe
  "C:\Users\Admin\AppData\Local\Temp\1e809cad1b9983f1f2927093abcf1b981a7d51c92aa4df9cc2ed6fc8cd92196a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1600

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1600-60-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1600-61-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1980-56-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download
memory/1980-57-0x00000000768D1000-0x00000000768D3000-memory.dmp

Filesize
8KB

Download
memory/1980-59-0x0000000000280000-0x0000000000286000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing