formbook | b6dce4fb36d3374d3fc309180d2e8829e25cd7f02f0ce14c3948541b653565e8

General

Target

f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
Size

623KB
MD5

c563ac9781f5dd0b8a701d8a57029194
SHA1

ae23bd161690cc42cdfb2b2220bcf15992ae175a
SHA256

f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa
SHA512

d064de28a89d2241052a866c0591f042e58d944b9118cf7238d283c6704775d09235f1fbd10a176fc4719d04180953ce786287a760ca77baa2894e129fb84116
SSDEEP

12288:U2N8jiZ4zypIPjtPplTY6RhKu5wMS2lEs/cLFCQDgYCnrz2RzSjpUUfIp1qO58O/:U2N8jiZ4zypIPjJTDEkSVsDQD4rz2KJ6

Score

10^/10

formbook q6at rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

q6at

Decoy

xn--oceanslot88-b28qq03g.xyz

kickui.xyz

my13377.com

exiipurediscount.pics

forevigt.shop

powerfivevolleyballclub.com

orcastones.com

dravloy.xyz

tokathaberajans.fun

cendanab3t.site

lonelylovercrew.com

beaubambi.com

thetalkaboutgriefproject.com

broadalert.com

promocodeforcrocs.com

sespeciess.club

lesjardinsdepoigny.com

intrack.site

bnbstar.live

electbraxton.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2164-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
2164	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
2164	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2036	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	92
PID 5068 wrote to memory of 2036	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	92
PID 5068 wrote to memory of 2036	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	92
PID 5068 wrote to memory of 2312	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	93
PID 5068 wrote to memory of 2312	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	93
PID 5068 wrote to memory of 2312	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	93
PID 5068 wrote to memory of 4300	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	94
PID 5068 wrote to memory of 4300	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	94
PID 5068 wrote to memory of 4300	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	94
PID 5068 wrote to memory of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95
PID 5068 wrote to memory of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95
PID 5068 wrote to memory of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95
PID 5068 wrote to memory of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95
PID 5068 wrote to memory of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95
PID 5068 wrote to memory of 2164	5068	f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe	95

C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
"C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
  "C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe"
  2⤵
  PID:2036
- C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
  "C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe"
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
  "C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe"
  2⤵
  PID:4300
- C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe
  "C:\Users\Admin\AppData\Local\Temp\f1b36ca7d670bc735b032e07885bd7abf35b346cccb5196615e15adede30b5fa.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2164

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2164-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2164-142-0x0000000001820000-0x0000000001B6A000-memory.dmp

Filesize
3.3MB

Download
memory/5068-133-0x0000000000430000-0x00000000004D2000-memory.dmp

Filesize
648KB

Download
memory/5068-134-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/5068-135-0x0000000004E90000-0x0000000004F22000-memory.dmp

Filesize
584KB

Download
memory/5068-136-0x0000000004F30000-0x0000000004F3A000-memory.dmp

Filesize
40KB

Download
memory/5068-137-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/5068-138-0x0000000005080000-0x0000000005090000-memory.dmp

Filesize
64KB

Download
memory/5068-139-0x0000000006B10000-0x0000000006BAC000-memory.dmp

Filesize
624KB

Download

Analysis

Sharing