formbook | 2e43e75303476b0eff6585680ad006cc7a7506a4564aa49504512ee3b6621884

General

Target

obizx.exe
Size

605KB
MD5

745174884165278ca284212180544a17
SHA1

920d5344b51f4f97cd92230e85c339c2237aaf1f
SHA256

2e43e75303476b0eff6585680ad006cc7a7506a4564aa49504512ee3b6621884
SHA512

b27d88282d10f6ecb0de600c4800e8b07f97a7348f47ee996cd205a1a84e5beafdbe4c6f4e589aceb56261c85c0dc95108c3fdb88cfcbc1077daadde7bca0d80
SSDEEP

12288:mg7JYihlZ/dMkbGo4suHNmS3cgexJAY7ytxcFmRCkn8RWpaxOXskry:mg7CClxek9huHNi1JAY72xr4kqW8xOXB

Score

10^/10

formbook oy30 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oy30

Decoy

rfc234.top

danielcavalari.com

elperegrinocabo.com

aryor.info

surelistening.com

premium-numero-telf.buzz

orlynyml.click

tennislovers-ro.com

holdmytracker.com

eewapay.com

jaimesinstallglass.com

damactrade.net

swapspecialities.com

perfumesrffd.today

salesfactory.pro

supportive-solutions.com

naiol.com

khoyr.com

kalendeargpt44.com

web-tech-spb.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3596-144-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3596-149-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/3944-155-0x0000000000720000-0x000000000074F000-memory.dmp	formbook
behavioral2/memory/3944-157-0x0000000000720000-0x000000000074F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2024 set thread context of 3596	2024	obizx.exe	94
PID 3596 set thread context of 3136	3596	obizx.exe	40
PID 3944 set thread context of 3136	3944	svchost.exe	40

Suspicious behavior: EnumeratesProcesses 46 IoCs

pid	Process
3596	obizx.exe
3596	obizx.exe
3596	obizx.exe
3596	obizx.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe
3944	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3136	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
3596	obizx.exe
3596	obizx.exe
3596	obizx.exe
3944	svchost.exe
3944	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3596	obizx.exe
Token: SeDebugPrivilege	3944	svchost.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
3136	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2024 wrote to memory of 3596	2024	obizx.exe	94
PID 2024 wrote to memory of 3596	2024	obizx.exe	94
PID 2024 wrote to memory of 3596	2024	obizx.exe	94
PID 2024 wrote to memory of 3596	2024	obizx.exe	94
PID 2024 wrote to memory of 3596	2024	obizx.exe	94
PID 2024 wrote to memory of 3596	2024	obizx.exe	94
PID 3136 wrote to memory of 3944	3136	Explorer.EXE	95
PID 3136 wrote to memory of 3944	3136	Explorer.EXE	95
PID 3136 wrote to memory of 3944	3136	Explorer.EXE	95
PID 3944 wrote to memory of 3336	3944	svchost.exe	96
PID 3944 wrote to memory of 3336	3944	svchost.exe	96
PID 3944 wrote to memory of 3336	3944	svchost.exe	96

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3136
- C:\Users\Admin\AppData\Local\Temp\obizx.exe
  "C:\Users\Admin\AppData\Local\Temp\obizx.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:2024
- - C:\Users\Admin\AppData\Local\Temp\obizx.exe
    "C:\Users\Admin\AppData\Local\Temp\obizx.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:3596
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\SysWOW64\svchost.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3944
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\obizx.exe"
    3⤵
    PID:3336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2024-146-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2024-135-0x0000000006010000-0x00000000065B4000-memory.dmp

Filesize
5.6MB

Download
memory/2024-133-0x0000000000FC0000-0x000000000105C000-memory.dmp

Filesize
624KB

Download
memory/2024-136-0x0000000005A60000-0x0000000005AF2000-memory.dmp

Filesize
584KB

Download
memory/2024-137-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/2024-138-0x0000000005BF0000-0x0000000005BFA000-memory.dmp

Filesize
40KB

Download
memory/2024-139-0x0000000006F50000-0x0000000006F62000-memory.dmp

Filesize
72KB

Download
memory/2024-140-0x0000000006FA0000-0x0000000006FC2000-memory.dmp

Filesize
136KB

Download
memory/2024-141-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/2024-142-0x0000000005A20000-0x0000000005A30000-memory.dmp

Filesize
64KB

Download
memory/2024-143-0x000000000B0A0000-0x000000000B13C000-memory.dmp

Filesize
624KB

Download
memory/2024-134-0x0000000075140000-0x00000000758F0000-memory.dmp

Filesize
7.7MB

Download
memory/3136-164-0x000000000AAF0000-0x000000000ABF6000-memory.dmp

Filesize
1.0MB

Download
memory/3136-158-0x0000000009020000-0x00000000091BE000-memory.dmp

Filesize
1.6MB

Download
memory/3136-162-0x000000000AAF0000-0x000000000ABF6000-memory.dmp

Filesize
1.0MB

Download
memory/3136-161-0x000000000AAF0000-0x000000000ABF6000-memory.dmp

Filesize
1.0MB

Download
memory/3136-151-0x0000000009020000-0x00000000091BE000-memory.dmp

Filesize
1.6MB

Download
memory/3596-149-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-144-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3596-150-0x0000000001740000-0x0000000001755000-memory.dmp

Filesize
84KB

Download
memory/3596-147-0x00000000013A0000-0x00000000016EA000-memory.dmp

Filesize
3.3MB

Download
memory/3944-152-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/3944-154-0x0000000000F10000-0x0000000000F1E000-memory.dmp

Filesize
56KB

Download
memory/3944-155-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download
memory/3944-156-0x0000000001400000-0x000000000174A000-memory.dmp

Filesize
3.3MB

Download
memory/3944-160-0x00000000012A0000-0x0000000001334000-memory.dmp

Filesize
592KB

Download
memory/3944-157-0x0000000000720000-0x000000000074F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing