formbook | 3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b

General

Target

3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
Size

920KB
MD5

f33602a685ab4c942327e514c4e6797c
SHA1

9fe4e86b3689240a730738393a04b5f72db423af
SHA256

3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b
SHA512

7d07330ff231a8d6c7ac94ffb50ba5a345c09498f382b76dc541d28b8b184b5c1fe2be15e2fa57b4f9e626c297ad50b8d971a91af5c23bdb9d3079f7f237d048
SSDEEP

24576:1OXIynvFDqx+Scy66+93DoBnH6oXXS4ve:CvhqQSY6kDci4

Score

10^/10

formbook dmpz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dmpz

Decoy

g6nVYcuLqoVCBunEXBXJ6w3fWQ==

ZcvMXCXftOLl

7llPyUdY6SDW+0jFjBhH6w3fWQ==

oNlI65OL5t6RGejebRdKsAjXGtsK8A==

kU64X5biR3AzyCEnlw==

dHWevaYxywS6e4PXkxhTtP/UGtsK8A==

tucfwSpD6EgygeItq7/COFAbH9E=

tSbx9dJa7CjaS9i1c3d4ImUJ

IlWSNsSPqt6mcQ3d

e0GDBU2jsOzL5OKBIzg=

N83IzuJUqu7g3+KBIzg=

nbC4xt55DmBKL0xV4GLW6w3fWQ==

Tk99naENrAzQj1piGbcl

6043tio61grD5OKBIzg=

HvXh6PMok+vZE1qjJUJClgSk+PAr1skh

JDtEXxkexjYzc+Bwc3Yt

sl+jPuCtSKWIyeKBIzg=

+eXvDCFojnwd9P79cBrQ6w3fWQ==

UfksRCdag5cHMXc=

7OW2uH1YngQA92VbLtpaRLmO/5JOL6k=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3488 set thread context of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3028	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
3028	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3488 wrote to memory of 3040	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	90
PID 3488 wrote to memory of 3040	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	90
PID 3488 wrote to memory of 3040	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	90
PID 3488 wrote to memory of 1000	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	91
PID 3488 wrote to memory of 1000	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	91
PID 3488 wrote to memory of 1000	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	91
PID 3488 wrote to memory of 2172	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	92
PID 3488 wrote to memory of 2172	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	92
PID 3488 wrote to memory of 2172	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	92
PID 3488 wrote to memory of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93
PID 3488 wrote to memory of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93
PID 3488 wrote to memory of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93
PID 3488 wrote to memory of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93
PID 3488 wrote to memory of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93
PID 3488 wrote to memory of 3028	3488	3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe	93

C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
"C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488
- C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe"
  2⤵
  PID:3040
- C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe"
  2⤵
  PID:1000
- C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe"
  2⤵
  PID:2172
- C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe
  "C:\Users\Admin\AppData\Local\Temp\3ec647b954f76b4a8a4817083e7191ad18a4a541a5f7875682b3009fb9f9649b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-147-0x00000000016B0000-0x00000000019FA000-memory.dmp

Filesize
3.3MB

Download
memory/3028-146-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-145-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3028-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3488-132-0x0000000000EE0000-0x0000000000FC6000-memory.dmp

Filesize
920KB

Download
memory/3488-137-0x0000000009920000-0x0000000009986000-memory.dmp

Filesize
408KB

Download
memory/3488-136-0x0000000009810000-0x00000000098AC000-memory.dmp

Filesize
624KB

Download
memory/3488-135-0x0000000005B10000-0x0000000005B1A000-memory.dmp

Filesize
40KB

Download
memory/3488-134-0x0000000005960000-0x00000000059F2000-memory.dmp

Filesize
584KB

Download
memory/3488-133-0x0000000005E70000-0x0000000006414000-memory.dmp

Filesize
5.6MB

Download

Analysis

Sharing