formbook | 5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a

General

Target

5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
Size

814KB
MD5

eccc5475dd661be20724e6b8a131f664
SHA1

adbd86d7ccdab284d0080f0a08e3d426a8df21b8
SHA256

5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a
SHA512

f61dfbb25c44e9bcc5334b95c1c54c2275876ee50610995dfda2fc6090b9b05e5da66831d288b53e313b6c1aec4b0e24d001792425965914eb03f6d6bdfd19c6
SSDEEP

12288:vFyMNTl159j9G9+a3DY366UqXbAyBWWapIg95lvTHRyoY:3b1XZGAaT56VrAyepIgvpjRpY

Score

10^/10

formbook g28p rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1564-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

description	pid	process	target process
PID 2868 set thread context of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

pid	process
2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
1564	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
1564	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

description pid process

Token: SeDebugPrivilege 2868 5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

description	pid	process
Token: SeDebugPrivilege	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

description	pid	process	target process
PID 2868 wrote to memory of 3968	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 3968	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 3968	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1416	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1416	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1416	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
PID 2868 wrote to memory of 1564	2868	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe	5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe

C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
"C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2868

C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
"C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe"
2⤵
PID:3968

C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
"C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe"
2⤵
PID:1416

C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe
"C:\Users\Admin\AppData\Local\Temp\5868cacef685463a6d4ff4d34f487d09e844511fd4d0f22b4c7ab00a92a2818a.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-139-0x0000000000000000-mapping.dmp

Download
memory/1564-140-0x0000000000000000-mapping.dmp

Download
memory/1564-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1564-142-0x0000000001950000-0x0000000001C9A000-memory.dmp

Filesize
3.3MB

Download
memory/2868-133-0x00000000001B0000-0x0000000000282000-memory.dmp

Filesize
840KB

Download
memory/2868-134-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/2868-135-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/2868-136-0x0000000004DC0000-0x0000000004DCA000-memory.dmp

Filesize
40KB

Download
memory/2868-137-0x0000000008840000-0x00000000088DC000-memory.dmp

Filesize
624KB

Download
memory/3968-138-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads