formbook | 8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a

General

Target

8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
Size

886KB
MD5

7481e627c46fc20dfebfeaa0c33cc70f
SHA1

7727ff419b18cb88c45cb17faa935d40e9e37d9a
SHA256

8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a
SHA512

5e389db1a08c191ca3d1fb37dbbd7ddd385e2d037a67f5cef5f5fc05e47be21f8bb7ccfbcadd3ee7f13483ae2e9100c015ffe83f511b602ca60d7d1fa56fed44
SSDEEP

12288:aoQgKZ/nXt7virmWhlGLaQYIL0dRYSV9kyOFya1z6KhbI8GXrLHPENrks28RVjma:v/NxGz7+B7DPEln

Score

10^/10

formbook 0vh9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

0vh9

Decoy

kT0Usm0+fHGF7CkiArMh/tpf8d/XmQE=

0fmX7QILD44W+4BvafbZzOs=

cu0K8dW1ampaxA==

mMUbaeih2AfncJFGQQ==

hbUGHyjFfvGHWhfdzKFAKACZFug=

yjwyDLSAuuQScZpTEt/p0g==

QVOuL9rCqaSZBDn18NM=

80J9zt627lL0

dRXhSLjVSYyE2g==

QuSd7Qu7JmkOkqOTf9gC4P5d322R+Ak=

TGmyjSzk7VR50A==

Per96I1KSYyE2g==

smg9xW2N/NH8O5xPQw==

epfEwPC7ggR37cX39cc=

s2tPNeqhoGyRpCQevaVh

0HJrO9mYxtjW0m+nEfbZzOs=

9ppmyuPh6JiKX+17X/bZzOs=

wrxE0u6FSNp5RtFYT83Yj+s2sz4kyg==

y4FnMsyMjUo7DqoovqLXyw==

tWNC35fFQyZe1Mt7fAQyHuycNOs=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2040 set thread context of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
1528	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 1708	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	28
PID 2040 wrote to memory of 1708	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	28
PID 2040 wrote to memory of 1708	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	28
PID 2040 wrote to memory of 1708	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	28
PID 2040 wrote to memory of 1696	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	29
PID 2040 wrote to memory of 1696	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	29
PID 2040 wrote to memory of 1696	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	29
PID 2040 wrote to memory of 1696	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	29
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30
PID 2040 wrote to memory of 1528	2040	8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe	30

C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
"C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2040
- C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
  "C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe"
  2⤵
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
  "C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe"
  2⤵
  PID:1696
- C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe
  "C:\Users\Admin\AppData\Local\Temp\8bdd2be4252011abdf68e5db8180c2e89988209789a204ed01c5d9c9a84aa66a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1528-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1528-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1528-68-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/2040-55-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/2040-56-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/2040-57-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/2040-58-0x0000000007F60000-0x0000000007FF6000-memory.dmp

Filesize
600KB

Download
memory/2040-59-0x0000000005AD0000-0x0000000005B2E000-memory.dmp

Filesize
376KB

Download
memory/2040-54-0x0000000000120000-0x0000000000204000-memory.dmp

Filesize
912KB

Download

Analysis

Sharing