formbook | 2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59

General

Target

2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
Size

452KB
MD5

94bca57ddba1a9ba47f8f797ecf07977
SHA1

d151113db90762f6d54fa98009925219d55b4230
SHA256

2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59
SHA512

b3f335fba77bff76849a5cd07564df5c9078c414fe587b0ae26b9b8ed1e4b0f200e5f18e11bb84d4dd6b3485e864262b141d16737b0dc20f7b4aeb792cc101e1

Score

10^/10

formbook private rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.1

Campaign

private

Decoy

fantasticfatcat.com

foreveright.com

res-ritzcarlton.com

jollyrogerdrone.com

flawlessseas.com

audytypaliwowe.com

aquiahoracoaching.com

yunzhoutec.com

eateze.com

luxurycityhotelcanada.com

ucandanc.net

istcbook.com

ehug.ltd

uniteamdata.com

renatorotsztejn.com

karimovislom.money

dresolvs.com

bao-ze.com

dtn.email

easecampsports.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/580-134-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/580-137-0x0000000000400000-0x0000000000428000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

pid	process
580	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
580	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

pid process

1676 2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

pid	process
1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

description	pid	process	target process
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
PID 1676 wrote to memory of 580	1676	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe	2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe

C:\Users\Admin\AppData\Local\Temp\2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
"C:\Users\Admin\AppData\Local\Temp\2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1676

C:\Users\Admin\AppData\Local\Temp\2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe
"C:\Users\Admin\AppData\Local\Temp\2ef7cf9a80117290859628386863a04c3385fa3f5a29fac041d4d19fcf21df59.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-134-0x0000000000000000-mapping.dmp

Download
memory/580-136-0x0000000000A90000-0x0000000000DDA000-memory.dmp

Filesize
3.3MB

Download
memory/580-137-0x0000000000400000-0x0000000000428000-memory.dmp

Filesize
160KB

Download
memory/1676-133-0x0000000002150000-0x0000000002157000-memory.dmp

Filesize
28KB

Download
memory/1676-135-0x0000000002150000-0x0000000002157000-memory.dmp

Filesize
28KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads