formbook | b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa

General

Target

b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
Size

955KB
MD5

91a972c03758ab433f7e7bbde4158e4d
SHA1

b31e8bec1883e2f6d69f0ee8cbfed15454e87c8c
SHA256

b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa
SHA512

ccbbfe77338b609f09e5a76f5881e003d4711f8c0e15a9f21fa1b978518bb7a54453be9fa849f3d7d3318bb980c04e8375120965add9fb734b2cc458c438ffca
SSDEEP

12288:1umGKSUdXLIXyKQEy3NbeEOIoWhtfvKtEKu0I:omGKndbIrQEy3NbetsVvnKZI

Score

10^/10

formbook gbr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbr

Decoy

serabet.com

galanggroup.com

zweitmeinung-urologie.com

damsalon.com

binliwine.com

lifeladderindia.com

flyingwranchmanagement.com

tripsandturns.com

3headdesign.com

aluminumfacade.com

toprestau.com

facetreatspa.com

periodrescuekit.com

dbaojian.com

altinotokurtarma.com

gkpelle.com

loguslife.com

treatse.com

lghglzcnkx.net

jawharabh.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1532-62-0x000000000041EB10-mapping.dmp	formbook
behavioral1/memory/1532-61-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

description	pid	process	target process
PID 968 set thread context of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exeb5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

pid	process
968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
1532	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

description pid process

Token: SeDebugPrivilege 968 b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

description	pid	process
Token: SeDebugPrivilege	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
"C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:968
- C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
  "C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe"
  2⤵
  PID:1492
- C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
  "C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe"
  2⤵
  PID:1648
- C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
  "C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe"
  2⤵
  PID:1240
- C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
  "C:\Users\Admin\AppData\Local\Temp\b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-54-0x0000000000080000-0x0000000000176000-memory.dmp

Filesize
984KB

Download
memory/968-55-0x0000000075F21000-0x0000000075F23000-memory.dmp

Filesize
8KB

Download
memory/968-56-0x0000000000460000-0x000000000046A000-memory.dmp

Filesize
40KB

Download
memory/968-57-0x0000000004310000-0x0000000004372000-memory.dmp

Filesize
392KB

Download
memory/1532-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1532-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1532-62-0x000000000041EB10-mapping.dmp

Download
memory/1532-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1532-63-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download

description	pid	process	target process
PID 968 wrote to memory of 1492	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1492	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1492	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1492	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1648	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1648	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1648	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1648	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1240	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1240	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1240	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1240	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe
PID 968 wrote to memory of 1532	968	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe	b5d3713200d78ffa108a19cecc8e5f9e27ca778a72eabc4e038821a1e9d56caa.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads