formbook | 5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e

General

Target

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
Size

368KB
MD5

561189349e7ef1918a4c27182a279ca6
SHA1

37165c0b5bd29f23664d55e0e4279f89ccde4275
SHA256

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e
SHA512

96ec8f72b5b031b8724296f620ba3b2e64295da62ae4d56e2d00b84d01bbbe3f3488f51ecdf7ab297b347574783ca4fad1105a1ee5fb97136affa6358c746e55
SSDEEP

6144:dt39+IGUiggkeVXZtFz/icY6FBXmyskHrBggUBmefTm2+zNXsl37t:CgWVXZj/XBGyskdgpfT

Score

10^/10

formbook ch rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ch

Decoy

dfjz88.com

realtorscreek.com

pl8v5z.info

thicdienthoai.com

areauruguay.com

shimizu-yado.com

apples5.com

hothip.net

jm-legal.online

bkinfo28.online

edificiosakura.net

biodesixlungreflex.com

segurosblanco.com

atsintech.solutions

steuerberaterfinden.com

ojjul.com

udcomputer.com

grovescashflow.com

inglot-jlo.com

docteursnuisible.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5032-140-0x0000000000400000-0x0000000000461000-memory.dmp	formbook
behavioral2/memory/5032-141-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Drops file in Windows directory 2 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

description	ioc	process
File opened for modification	C:\Windows\win.ini	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
File opened for modification	C:\Windows\win.ini	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of SendNotifyMessage 4 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

pid	process
996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
5032	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

description	pid	process	target process
PID 996 wrote to memory of 5032	996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
PID 996 wrote to memory of 5032	996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
PID 996 wrote to memory of 5032	996	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe	5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe

C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
"C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"
1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
  "C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\win.ini

Filesize
123B

MD5
6bf517432f65eb7f0d18d574bf14124c

SHA1
5b9f37c1dd1318ebbec3bd2f07c109eb9d22c727

SHA256
6e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46

SHA512
7b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06

Download Submit
memory/996-142-0x00007FF9E6370000-0x00007FF9E6565000-memory.dmp

Filesize
2.0MB

Download
memory/996-143-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download
memory/996-134-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/996-139-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/5032-140-0x0000000000400000-0x0000000000461000-memory.dmp

Filesize
388KB

Download
memory/5032-141-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5032-135-0x0000000000000000-mapping.dmp

Download
memory/5032-144-0x0000000002150000-0x0000000002158000-memory.dmp

Filesize
32KB

Download
memory/5032-145-0x00007FF9E6370000-0x00007FF9E6565000-memory.dmp

Filesize
2.0MB

Download
memory/5032-146-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download
memory/5032-147-0x00000000216C0000-0x0000000021A0A000-memory.dmp

Filesize
3.3MB

Download
memory/5032-148-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download
memory/5032-149-0x0000000077880000-0x0000000077A23000-memory.dmp

Filesize
1.6MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads