formbook | 708e685f0db9aab8e31d170d6e05f85aa906273fec441a2e4a696fd140f6f0bf

General

Target

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
Size

797KB
MD5

4e0a57febe7c13d6f294ea34cbfc5cbf
SHA1

f52a1d2cb7613c8fea67466dbbbce684541076a5
SHA256

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875
SHA512

47a2824b4dea833948cde7ad378b5a30a58a7b7945695e556c96858a0c11484ccbed6256c3f7c63035b7de02da4d87619fd26de4913313143d617dac651085a7
SSDEEP

24576:0uLklAVXeIpaVidw9koilGCKfwd2WQkRv0yw1FuZdu:NLvV+19pilHK4dj9R8Hu+

Score

10^/10

formbook ny02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ny02

Decoy

unirewards.online

giaoxuthanhgia.com

jennifersarrasin.online

hotelcampestrelafloresta.com

rwardsuprefortunerabbit.website

wanguardplacements.com

myfittedbedroomboutique.com

romariiregenerative.com

fashionhabesha.online

q778.top

embodiedtruthmethod.online

petgoodies.store

prismeventsandtours.com

onlinedelight.tech

segoviaresidencial.com

livewin.win

qhyhxs.com

kemprut.com

sanghahealing.net

forcewealthpower.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2968-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2584 set thread context of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2968	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 2148	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	30
PID 2584 wrote to memory of 2148	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	30
PID 2584 wrote to memory of 2148	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	30
PID 2584 wrote to memory of 2148	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	30
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31
PID 2584 wrote to memory of 2968	2584	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	31

C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
"C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
  "C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe"
  2⤵
  PID:2148
- C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
  "C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2968

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2584-6-0x00000000005B0000-0x00000000005C0000-memory.dmp

Filesize
64KB

Download
memory/2584-0-0x00000000013D0000-0x000000000149E000-memory.dmp

Filesize
824KB

Download
memory/2584-2-0x0000000001350000-0x0000000001390000-memory.dmp

Filesize
256KB

Download
memory/2584-3-0x0000000000620000-0x0000000000638000-memory.dmp

Filesize
96KB

Download
memory/2584-4-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-5-0x0000000001350000-0x0000000001390000-memory.dmp

Filesize
256KB

Download
memory/2584-1-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2584-7-0x0000000007FB0000-0x000000000804C000-memory.dmp

Filesize
624KB

Download
memory/2584-15-0x0000000074B40000-0x000000007522E000-memory.dmp

Filesize
6.9MB

Download
memory/2968-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2968-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2968-16-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing