formbook | 2e43e75303476b0eff6585680ad006cc7a7506a4564aa49504512ee3b6621884

General

Target

obizx.exe
Size

605KB
MD5

745174884165278ca284212180544a17
SHA1

920d5344b51f4f97cd92230e85c339c2237aaf1f
SHA256

2e43e75303476b0eff6585680ad006cc7a7506a4564aa49504512ee3b6621884
SHA512

b27d88282d10f6ecb0de600c4800e8b07f97a7348f47ee996cd205a1a84e5beafdbe4c6f4e589aceb56261c85c0dc95108c3fdb88cfcbc1077daadde7bca0d80
SSDEEP

12288:mg7JYihlZ/dMkbGo4suHNmS3cgexJAY7ytxcFmRCkn8RWpaxOXskry:mg7CClxek9huHNi1JAY72xr4kqW8xOXB

Score

10^/10

formbook oy30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral1/memory/2356-68-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/2356-72-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1864-78-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook
behavioral1/memory/1864-80-0x0000000000080000-0x00000000000AF000-memory.dmp	formbook

Deletes itself 1 IoCs

pid	Process
2348	cmd.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1232 set thread context of 2356	1232	obizx.exe	30
PID 2356 set thread context of 1260	2356	obizx.exe	11
PID 1864 set thread context of 1260	1864	raserver.exe	11

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2356	obizx.exe
2356	obizx.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe
1864	raserver.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1260	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
2356	obizx.exe
2356	obizx.exe
2356	obizx.exe
1864	raserver.exe
1864	raserver.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2356	obizx.exe
Token: SeDebugPrivilege	1864	raserver.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1232 wrote to memory of 2356	1232	obizx.exe	30
PID 1260 wrote to memory of 1864	1260	Explorer.EXE	31
PID 1260 wrote to memory of 1864	1260	Explorer.EXE	31
PID 1260 wrote to memory of 1864	1260	Explorer.EXE	31
PID 1260 wrote to memory of 1864	1260	Explorer.EXE	31
PID 1864 wrote to memory of 2348	1864	raserver.exe	32
PID 1864 wrote to memory of 2348	1864	raserver.exe	32
PID 1864 wrote to memory of 2348	1864	raserver.exe	32
PID 1864 wrote to memory of 2348	1864	raserver.exe	32

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Users\Admin\AppData\Local\Temp\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\obizx.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1232
- - C:\Users\Admin\AppData\Local\Temp\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\obizx.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:2356
- C:\Windows\SysWOW64\raserver.exe
  "C:\Windows\SysWOW64\raserver.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\obizx.exe"
    3⤵
    - Deletes itself
    PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1232-60-0x0000000000370000-0x000000000037A000-memory.dmp

Filesize
40KB

Download
memory/1232-61-0x00000000051B0000-0x000000000521E000-memory.dmp

Filesize
440KB

Download
memory/1232-56-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1232-57-0x0000000000310000-0x0000000000320000-memory.dmp

Filesize
64KB

Download
memory/1232-58-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-59-0x0000000002330000-0x0000000002370000-memory.dmp

Filesize
256KB

Download
memory/1232-55-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/1232-54-0x0000000000270000-0x000000000030C000-memory.dmp

Filesize
624KB

Download
memory/1232-69-0x0000000074A90000-0x000000007517E000-memory.dmp

Filesize
6.9MB

Download
memory/1260-86-0x0000000004CF0000-0x0000000004DA4000-memory.dmp

Filesize
720KB

Download
memory/1260-88-0x0000000004CF0000-0x0000000004DA4000-memory.dmp

Filesize
720KB

Download
memory/1260-84-0x0000000000010000-0x0000000000020000-memory.dmp

Filesize
64KB

Download
memory/1260-75-0x0000000006A80000-0x0000000006B76000-memory.dmp

Filesize
984KB

Download
memory/1260-81-0x0000000006A80000-0x0000000006B76000-memory.dmp

Filesize
984KB

Download
memory/1260-85-0x0000000004CF0000-0x0000000004DA4000-memory.dmp

Filesize
720KB

Download
memory/1864-80-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1864-76-0x0000000000110000-0x000000000012C000-memory.dmp

Filesize
112KB

Download
memory/1864-77-0x0000000000110000-0x000000000012C000-memory.dmp

Filesize
112KB

Download
memory/1864-78-0x0000000000080000-0x00000000000AF000-memory.dmp

Filesize
188KB

Download
memory/1864-79-0x0000000001F90000-0x0000000002293000-memory.dmp

Filesize
3.0MB

Download
memory/1864-83-0x0000000000520000-0x00000000005B4000-memory.dmp

Filesize
592KB

Download
memory/2356-72-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-74-0x0000000000330000-0x0000000000345000-memory.dmp

Filesize
84KB

Download
memory/2356-70-0x0000000000980000-0x0000000000C83000-memory.dmp

Filesize
3.0MB

Download
memory/2356-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-66-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-64-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing