formbook | f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e

General

Target

f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
Size

684KB
MD5

33b08a6f291d2d62ce11bc349ed3487d
SHA1

a06c3031d3098a51160179458f604b0382c26a16
SHA256

f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e
SHA512

a194432af284a2284cb7a2a8b18405e1d1b2a42057d8463d819ae1a00bdb98223a418c6017e5673bcb8d7a979bb716c35c560dcd86542baaca8e9f2e711617ae
SSDEEP

12288:YWda76TLGyuxNYZaOWiOBR7Eb1VW7YRkV42mEFdCH:YW3SVx2ZaqOB9W1qFXFUH

Score

10^/10

formbook e8fg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

e8fg

Decoy

rmaex.xyz

thegreenambition.com

ifmcustomerevents.com

agencewebimage.com

w0a00dbe.buzz

shopbequynhff.com

webpetarung.online

girlgonecyber.com

lexoutwest.com

gramshilpartandcraft.com

kemeioficial.com

track-race-package.com

shop-domanopro.com

bohanshow.com

ateliermedispa.com

paragonhonda-ny.com

calzadosnova.com

thephoenixoneproject.com

pl66380.com

nightowlmarketinggroup.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/588-64-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1312 set thread context of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
588	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1312 wrote to memory of 1480	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	28
PID 1312 wrote to memory of 1480	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	28
PID 1312 wrote to memory of 1480	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	28
PID 1312 wrote to memory of 1480	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	28
PID 1312 wrote to memory of 1912	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	29
PID 1312 wrote to memory of 1912	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	29
PID 1312 wrote to memory of 1912	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	29
PID 1312 wrote to memory of 1912	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	29
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30
PID 1312 wrote to memory of 588	1312	f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe	30

C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
"C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1312
- C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
  "C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe"
  2⤵
  PID:1480
- C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
  "C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe"
  2⤵
  PID:1912
- C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe
  "C:\Users\Admin\AppData\Local\Temp\f877daae32612cf737745b22467c63f63e1961a6135289125dd228604fa0c29e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/588-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-65-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1312-54-0x0000000000800000-0x00000000008B2000-memory.dmp

Filesize
712KB

Download
memory/1312-55-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1312-56-0x00000000001D0000-0x00000000001E4000-memory.dmp

Filesize
80KB

Download
memory/1312-57-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1312-58-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1312-59-0x0000000005DF0000-0x0000000005E60000-memory.dmp

Filesize
448KB

Download
memory/1312-60-0x00000000022B0000-0x00000000022E8000-memory.dmp

Filesize
224KB

Download

Analysis

Sharing