formbook | 855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381

General

Target

855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
Size

1010KB
MD5

05249a2214929e31547ca844a72365f1
SHA1

07036b37b144e1022f7cd444903d35bcc78454d4
SHA256

855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381
SHA512

605438b5010da66fbaa00516e129d30e44bbabaebd3d866a6c37fbf976a23a50ae5423035b9dd5260c6ef3f0f3fd763d8daa264a3764ff37b77ba0e648992bf4
SSDEEP

24576:1e/qSXiEDT25Rvgi6TjHCOH+1qeimbNPLefSMfSBfSCfSvfSAfS1fSGfSTfS0fS4:wqWDaETO13img

Score

10^/10

formbook ab ke ko rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ab

Decoy

kirameki.online

qcgqtz.com

hodlmycoins.com

trickortreatdmv.com

idealsssi.com

637788v.com

puercha.ltd

tornikaista.com

travelcare.agency

sidecartourparis.com

smartfx89.com

studymust.com

nmucf.info

thecarltonfiles.com

autoviralprofit.com

dramaticcalculator.com

naxiehua8090.com

verway-leben.com

mkyouthpastor.com

index119.com

Extracted

Family

formbook

Version

3.9

Campaign

ke

Decoy

weiyipa.com

thepovertyneckhillbillies.com

yxzhgs.com

carolinahaulers.com

geosondar.com

globallifi.com

eurasiantourism.com

6upgrades.com

hidwid.com

zphillipsgames.com

jodiesart.com

line2revo-butei.com

worldreviewofbooks.com

heictojpeg.com

prib.ltd

xn--comores-routire-6mb.com

fatnevermore.com

meadowlarkvoices.com

blissstreetfashion.com

karbirgidainsaat.com

Extracted

Family

formbook

Version

3.9

Campaign

ko

Decoy

batatproject.com

mydaxuetang.com

clmproject.com

die-erste-werkstatt.com

constructiveproductions.com

vorhersage.net

jonathanandcolleen.com

crmparis.com

thesexpistolsvevo.com

sauna.media

osmspayments.net

320903.com

keshuotech.com

smpql.com

ssgan75.com

651bifa.com

weyena.com

lauraradu.com

carbuco.com

thejobdocs.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1628-65-0x0000000000400000-0x00000000004FC000-memory.dmp	formbook
behavioral1/memory/1628-66-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1720-74-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral1/memory/1720-73-0x0000000000400000-0x00000000004FC000-memory.dmp	formbook
behavioral1/memory/1712-76-0x0000000000400000-0x00000000004FC000-memory.dmp	formbook
behavioral1/memory/1712-77-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

description	pid	process	target process
PID 1992 set thread context of 1628	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 set thread context of 1720	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 set thread context of 1712	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

pid	process
1628	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
1720	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
1712	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

pid process

1992 855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

pid	process
1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

description	pid	process	target process
PID 1992 wrote to memory of 1628	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1628	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1628	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1628	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1720	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1720	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1720	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1720	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1712	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1712	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1712	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
PID 1992 wrote to memory of 1712	1992	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe	855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe

C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
"C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1992

C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1628

C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1720

C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe
C:\Users\Admin\AppData\Local\Temp\855a71b80b3dac1295001efd045acc65309b350cceb6663ef106f464bd086381.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1712

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1628-65-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1628-71-0x0000000006990000-0x0000000006C93000-memory.dmp

Filesize
3.0MB

Download
memory/1628-58-0x00000000004DBAE0-mapping.dmp

Download
memory/1628-70-0x0000000077200000-0x0000000077380000-memory.dmp

Filesize
1.5MB

Download
memory/1628-69-0x0000000000220000-0x0000000000227000-memory.dmp

Filesize
28KB

Download
memory/1628-68-0x0000000077200000-0x0000000077380000-memory.dmp

Filesize
1.5MB

Download
memory/1628-67-0x0000000077020000-0x00000000771C9000-memory.dmp

Filesize
1.7MB

Download
memory/1628-66-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1712-77-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1712-76-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1712-80-0x0000000077200000-0x0000000077380000-memory.dmp

Filesize
1.5MB

Download
memory/1712-82-0x0000000006770000-0x0000000006A73000-memory.dmp

Filesize
3.0MB

Download
memory/1712-60-0x00000000004DBAE0-mapping.dmp

Download
memory/1712-79-0x0000000077020000-0x00000000771C9000-memory.dmp

Filesize
1.7MB

Download
memory/1720-59-0x00000000004DBAE0-mapping.dmp

Download
memory/1720-74-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1720-73-0x0000000000400000-0x00000000004FC000-memory.dmp

Filesize
1008KB

Download
memory/1720-81-0x0000000077200000-0x0000000077380000-memory.dmp

Filesize
1.5MB

Download
memory/1720-83-0x0000000006870000-0x0000000006B73000-memory.dmp

Filesize
3.0MB

Download
memory/1720-78-0x0000000077020000-0x00000000771C9000-memory.dmp

Filesize
1.7MB

Download
memory/1992-57-0x0000000074F01000-0x0000000074F03000-memory.dmp

Filesize
8KB

Download
memory/1992-56-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1992-63-0x0000000077200000-0x0000000077380000-memory.dmp

Filesize
1.5MB

Download
memory/1992-61-0x0000000000280000-0x0000000000287000-memory.dmp

Filesize
28KB

Download
memory/1992-62-0x0000000077020000-0x00000000771C9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads