formbook | 903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64

General

Target

uzomazx.exe
Size

1.0MB
MD5

c178cb400a5d151c4e59640ca55b604a
SHA1

2f335f8791e3effef43c8f3441d9573f70ea22e9
SHA256

903bfcbe2d85143ad723b47ed1edc96f5416fa3b584fe76e74d75e93ff4b2e64
SHA512

fcc86d5858403f0a93ce1bda799e88338ad758403c1c6124ac181d61725052e0e1bd99edf1beff341cb576d085b63d3b78966c56a8b79cdf56b8d60a28e28527
SSDEEP

24576:j1u6u4RbJDAzdUqYyDim6cF56gemFZiPZHWxEGPnqdOp:jV9RbJwdtim6cF5sR2xEGPnqdO

Score

10^/10

formbook ua69 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ua69

Decoy

uslanmayizz.com

rrucrowd.com

nerexy.online

guolang-clan.com

meteleabogados.com

sh-gottipati.com

themesmiui.com

anananlan.com

roghanala.com

yekitiba.com

echoskinco.com

btlpour.xyz

shoyo-samaa.com

fuzzywumpus.net

malerzeit.com

xiam.online

brandibraunalissa.com

cryptominis.pro

we-living.com

dc-invest.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1416-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/1416-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/4000-20-0x00000000009B0000-0x00000000009DF000-memory.dmp	formbook
behavioral2/memory/4000-22-0x00000000009B0000-0x00000000009DF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1852 set thread context of 1416	1852	uzomazx.exe	92
PID 1416 set thread context of 3108	1416	uzomazx.exe	66
PID 4000 set thread context of 3108	4000	wlanext.exe	66

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
1416	uzomazx.exe
1416	uzomazx.exe
1416	uzomazx.exe
1416	uzomazx.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe
4000	wlanext.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3108	Explorer.EXE

Suspicious behavior: MapViewOfSection 5 IoCs

pid	Process
1416	uzomazx.exe
1416	uzomazx.exe
1416	uzomazx.exe
4000	wlanext.exe
4000	wlanext.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1416	uzomazx.exe
Token: SeDebugPrivilege	4000	wlanext.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 1416	1852	uzomazx.exe	92
PID 1852 wrote to memory of 1416	1852	uzomazx.exe	92
PID 1852 wrote to memory of 1416	1852	uzomazx.exe	92
PID 1852 wrote to memory of 1416	1852	uzomazx.exe	92
PID 1852 wrote to memory of 1416	1852	uzomazx.exe	92
PID 1852 wrote to memory of 1416	1852	uzomazx.exe	92
PID 3108 wrote to memory of 4000	3108	Explorer.EXE	93
PID 3108 wrote to memory of 4000	3108	Explorer.EXE	93
PID 3108 wrote to memory of 4000	3108	Explorer.EXE	93
PID 4000 wrote to memory of 1428	4000	wlanext.exe	94
PID 4000 wrote to memory of 1428	4000	wlanext.exe	94
PID 4000 wrote to memory of 1428	4000	wlanext.exe	94

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Users\Admin\AppData\Local\Temp\uzomazx.exe
  "C:\Users\Admin\AppData\Local\Temp\uzomazx.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\uzomazx.exe
    "C:\Users\Admin\AppData\Local\Temp\uzomazx.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of AdjustPrivilegeToken
    PID:1416
- C:\Windows\SysWOW64\wlanext.exe
  "C:\Windows\SysWOW64\wlanext.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4000
- - C:\Windows\SysWOW64\cmd.exe
    /c del "C:\Users\Admin\AppData\Local\Temp\uzomazx.exe"
    3⤵
    PID:1428

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1416-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-15-0x0000000000D70000-0x0000000000D84000-memory.dmp

Filesize
80KB

Download
memory/1416-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1416-12-0x0000000001200000-0x000000000154A000-memory.dmp

Filesize
3.3MB

Download
memory/1852-6-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/1852-1-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/1852-0-0x0000000000830000-0x000000000093A000-memory.dmp

Filesize
1.0MB

Download
memory/1852-7-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1852-8-0x0000000008570000-0x000000000860C000-memory.dmp

Filesize
624KB

Download
memory/1852-4-0x0000000005550000-0x0000000005560000-memory.dmp

Filesize
64KB

Download
memory/1852-11-0x0000000075300000-0x0000000075AB0000-memory.dmp

Filesize
7.7MB

Download
memory/1852-3-0x0000000005350000-0x00000000053E2000-memory.dmp

Filesize
584KB

Download
memory/1852-2-0x0000000005900000-0x0000000005EA4000-memory.dmp

Filesize
5.6MB

Download
memory/1852-5-0x0000000005320000-0x000000000532A000-memory.dmp

Filesize
40KB

Download
memory/3108-16-0x00000000045B0000-0x000000000469F000-memory.dmp

Filesize
956KB

Download
memory/3108-23-0x00000000045B0000-0x000000000469F000-memory.dmp

Filesize
956KB

Download
memory/3108-26-0x0000000008C50000-0x0000000008D78000-memory.dmp

Filesize
1.2MB

Download
memory/3108-27-0x0000000008C50000-0x0000000008D78000-memory.dmp

Filesize
1.2MB

Download
memory/4000-17-0x00000000009F0000-0x0000000000A07000-memory.dmp

Filesize
92KB

Download
memory/4000-19-0x00000000009F0000-0x0000000000A07000-memory.dmp

Filesize
92KB

Download
memory/4000-20-0x00000000009B0000-0x00000000009DF000-memory.dmp

Filesize
188KB

Download
memory/4000-21-0x0000000001490000-0x00000000017DA000-memory.dmp

Filesize
3.3MB

Download
memory/4000-22-0x00000000009B0000-0x00000000009DF000-memory.dmp

Filesize
188KB

Download
memory/4000-25-0x00000000012E0000-0x0000000001373000-memory.dmp

Filesize
588KB

Download

Analysis

Sharing