formbook | 73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d

General

Target

73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe
Size

587KB
MD5

28add1243c433986dbb73ef4e6763fa1
SHA1

eb5c172e07f5f8b7e30417ee8547a58b05996756
SHA256

73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d
SHA512

af35f5f3540b3110602222f917ea9fa76cf743573826d3e1a89472ed7623d88be97cd7c9f4c3d9c8b38d0ff7d2bed2c708809a1cda5de93990389e3bd6970542
SSDEEP

12288:3r4lrrr/zYPeL3bhmL8NnTl/EOnOzfAq3zStUunsB:3r4lXr/zieL3boQRlNn3q3ujns

Score

10^/10

formbook d6dt rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d6dt

Decoy

curenveda.com

mavilitur.xyz

airdropfisher.com

jxwqeumw.click

solepowertool.com

quickmartltd.com

postbh.com

aerialcarried.click

teamabr-rfa.com

jeagma9k.click

aquaafiafoodsafety.com

dangtutu.com

lahfhg.com

patricia-lee.com

nextgencoders.tech

scercommerce.online

crates.surf

casamorganagelatos.com

dwynet.com

3genenterprisesllc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2348-65-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2980 set thread context of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe
2348	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 2264	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	30
PID 2980 wrote to memory of 2264	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	30
PID 2980 wrote to memory of 2264	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	30
PID 2980 wrote to memory of 2264	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	30
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31
PID 2980 wrote to memory of 2348	2980	73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe	31

C:\Users\Admin\AppData\Local\Temp\73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe
"C:\Users\Admin\AppData\Local\Temp\73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Users\Admin\AppData\Local\Temp\73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe"
  2⤵
  PID:2264
- C:\Users\Admin\AppData\Local\Temp\73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\73cb9c68b47d45884c4cbdb18d45a63a4d67a1f22ab8cb2a6ec92423cd77948d_JC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-67-0x0000000000900000-0x0000000000C03000-memory.dmp

Filesize
3.0MB

Download
memory/2348-65-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2348-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2980-56-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2980-59-0x0000000000760000-0x000000000076E000-memory.dmp

Filesize
56KB

Download
memory/2980-60-0x0000000004810000-0x000000000487E000-memory.dmp

Filesize
440KB

Download
memory/2980-58-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2980-57-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-53-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-55-0x0000000004D10000-0x0000000004D50000-memory.dmp

Filesize
256KB

Download
memory/2980-66-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2980-54-0x0000000000860000-0x00000000008FA000-memory.dmp

Filesize
616KB

Download

Analysis

Sharing