formbook | 5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e

General

Target

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
Size

368KB
MD5

561189349e7ef1918a4c27182a279ca6
SHA1

37165c0b5bd29f23664d55e0e4279f89ccde4275
SHA256

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e
SHA512

96ec8f72b5b031b8724296f620ba3b2e64295da62ae4d56e2d00b84d01bbbe3f3488f51ecdf7ab297b347574783ca4fad1105a1ee5fb97136affa6358c746e55
SSDEEP

6144:dt39+IGUiggkeVXZtFz/icY6FBXmyskHrBggUBmefTm2+zNXsl37t:CgWVXZj/XBGyskdgpfT

Score

10^/10

formbook ch rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ch

Decoy

dfjz88.com

realtorscreek.com

pl8v5z.info

thicdienthoai.com

areauruguay.com

shimizu-yado.com

apples5.com

hothip.net

jm-legal.online

bkinfo28.online

edificiosakura.net

biodesixlungreflex.com

segurosblanco.com

atsintech.solutions

steuerberaterfinden.com

ojjul.com

udcomputer.com

grovescashflow.com

inglot-jlo.com

docteursnuisible.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1968-63-0x0000000000400000-0x0000000000461000-memory.dmp	formbook
behavioral1/memory/1968-64-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

description	pid	process	target process
PID 1996 set thread context of 1968	1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Drops file in Windows directory 2 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
File opened for modification	C:\Windows\win.ini	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid process

1968 5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
1968	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1968	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1968	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1968	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1968	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
1968	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

description	pid	process	target process
PID 1996 wrote to memory of 1968	1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
PID 1996 wrote to memory of 1968	1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
PID 1996 wrote to memory of 1968	1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
PID 1996 wrote to memory of 1968	1996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
"C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
"C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1968

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini
Filesize
509B

MD5
d2a2412bddba16d60ec63bd9550d933f

SHA1
deb3d3bdc9055f0b4909b31d3048446848fae0e1

SHA256
79ff2254e38192be1626d05bec6c82e10c85e1cf91df7440c4c443380a1e877a

SHA512
8fecada107f72e59e43a689eeb8e2e18fa6134d0941c122025ed5bd00e5eab8114d7125bd289505be75641385a0c3f112d402c693f142c3ddc870d5fa8116e31

Download Submit
memory/1968-57-0x0000000000000000-mapping.dmp

Download
memory/1968-63-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/1968-64-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1968-67-0x0000000000580000-0x0000000000588000-memory.dmp

Filesize
32KB

Download
memory/1968-69-0x0000000076F60000-0x0000000077036000-memory.dmp

Filesize
856KB

Download
memory/1968-68-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/1968-70-0x000000001F9E0000-0x000000001FCE3000-memory.dmp

Filesize
3.0MB

Download
memory/1996-56-0x0000000075D61000-0x0000000075D63000-memory.dmp

Filesize
8KB

Download
memory/1996-62-0x00000000004C0000-0x00000000004C8000-memory.dmp

Filesize
32KB

Download
memory/1996-65-0x0000000076D70000-0x0000000076F19000-memory.dmp

Filesize
1.7MB

Download
memory/1996-66-0x0000000076F50000-0x00000000770D0000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads