formbook | 266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11

General

Target

266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
Size

660KB
MD5

98d1100c39a023253cd46122e0a8820e
SHA1

317b29e44ebbb9659203c1ed96ab1d73d6b540dd
SHA256

266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11
SHA512

777335c56e065d1810251db4cdcda1e1ee6ec13cd0e47f89203a80e3d6497938a14f560c2b23f24dfd2c76c5509c863f03be6a6df102455aaa24f91bd7d47020

Score

10^/10

formbook ho rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ho

Decoy

3dprintedphotography.com

surgeinor.com

goletavalleytechcenter.com

fort41.net

mudita.studio

pesticides-suppliers.com

al98ce.biz

berybest.com

siedumat.com

tomengrain.net

sunnyskiesvaca.info

centrocomercialatlantida.com

umeof.info

sequoiasurfacing.com

lacodeouro.com

somotorbike.com

chancetobloew.com

mcrikos.com

qizhangke.com

sugarnotchsawmill.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4180-136-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4776 set thread context of 4180	4776	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	80

Program crash 2 IoCs

pid	pid_target	Process	procid_target
1312	4180	WerFault.exe	80
1992	4180	WerFault.exe	80

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4180	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
4180	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4776	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 4180	4776	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	80
PID 4776 wrote to memory of 4180	4776	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	80
PID 4776 wrote to memory of 4180	4776	266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe	80

C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
"C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe
  C:\Users\Admin\AppData\Local\Temp\266b94576fc5f21b1958e202c1e6296f95b247e0c02cb4683b8e164ec84d9a11.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4180
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 424
    3⤵
    - Program crash
    PID:1312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4180 -s 468
    3⤵
    - Program crash
    PID:1992

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4180 -ip 4180
1⤵
PID:1388

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 4180 -ip 4180
1⤵
PID:4192

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4180-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4180-137-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/4180-138-0x0000000006DC0000-0x000000000710A000-memory.dmp

Filesize
3.3MB

Download
memory/4180-139-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download
memory/4776-132-0x00000000029B0000-0x00000000029B6000-memory.dmp

Filesize
24KB

Download
memory/4776-134-0x0000000076F40000-0x00000000770E3000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing