formbook | 266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11

General

Target

266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
Size

660KB
MD5

98d1100c39a023253cd46122e0a8820e
SHA1

317b29e44ebbb9659203c1ed96ab1d73d6b540dd
SHA256

266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11
SHA512

777335c56e065d1810251db4cdcda1e1ee6ec13cd0e47f89203a80e3d6497938a14f560c2b23f24dfd2c76c5509c863f03be6a6df102455aaa24f91bd7d47020

Score

10^/10

formbook ho rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ho

Decoy

3dprintedphotography.com

surgeinor.com

goletavalleytechcenter.com

fort41.net

mudita.studio

pesticides-suppliers.com

al98ce.biz

berybest.com

siedumat.com

tomengrain.net

sunnyskiesvaca.info

centrocomercialatlantida.com

umeof.info

sequoiasurfacing.com

lacodeouro.com

somotorbike.com

chancetobloew.com

mcrikos.com

qizhangke.com

sugarnotchsawmill.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1016-62-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1016-63-0x0000000077980000-0x0000000077B00000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1948 set thread context of 1016	1948	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	27

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1192	1016	WerFault.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1016	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1948	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1016	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1948 wrote to memory of 1016	1948	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	27
PID 1948 wrote to memory of 1016	1948	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	27
PID 1948 wrote to memory of 1016	1948	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	27
PID 1948 wrote to memory of 1016	1948	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	27
PID 1016 wrote to memory of 1192	1016	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	28
PID 1016 wrote to memory of 1192	1016	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	28
PID 1016 wrote to memory of 1192	1016	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	28
PID 1016 wrote to memory of 1192	1016	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	28

C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
"C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1948
- C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
  C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1016 -s 176
    3⤵
    - Program crash
    PID:1192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1016-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1016-63-0x0000000077980000-0x0000000077B00000-memory.dmp

Filesize
1.5MB

Download
memory/1016-65-0x0000000006920000-0x0000000006C23000-memory.dmp

Filesize
3.0MB

Download
memory/1948-56-0x00000000001D0000-0x00000000001D6000-memory.dmp

Filesize
24KB

Download
memory/1948-57-0x0000000075401000-0x0000000075403000-memory.dmp

Filesize
8KB

Download
memory/1948-59-0x0000000077980000-0x0000000077B00000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing