formbook | 6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b

General

Target

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
Size

710KB
MD5

493562fc3240d634f797be4a433d72c7
SHA1

92569595aa0a20d9937bd03525a756dd35059d3b
SHA256

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b
SHA512

70eb16d06d38d80cc4513962f6fbdeda54e6ec2bc30caa9fb112d3cd355b12c088426c823d3d4a3e315209b3fc908c0339e9cdc8de99462e87eba311f4801a75
SSDEEP

12288:406gna2iNP1UIkvEbtOgVt3KB6bxxXRZEG/p8fD5mcjtqlg6utz5l96OXaq:XTa1F14ot1aIxxAop+mc0g6MNa

Score

10^/10

formbook ro12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ro12

Decoy

start399.com

decyfincoin.com

binguozhijiaok.com

one45.vip

55dy5s.top

regmt.pro

2ahxgaafifl.com

xn--6rtp2flvfc2h.com

justinmburns.com

los3.online

fleshaaikensdivinegiven7llc.com

servicedelv.services

apexcaryhomesforsale.com

shuraop.xyz

sagetotal.com

gratitude-et-compagnie.com

riderarea.com

digitalserviceact.online

contentbyc.com

agenda-digital-planner.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1664-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

description	pid	process	target process
PID 2204 set thread context of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

pid	process
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
1664	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

description pid process

Token: SeDebugPrivilege 2204 6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

description	pid	process
Token: SeDebugPrivilege	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

description	pid	process	target process
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
PID 2204 wrote to memory of 1664	2204	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe	6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe

C:\Users\Admin\AppData\Local\Temp\6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
"C:\Users\Admin\AppData\Local\Temp\6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2204
- C:\Users\Admin\AppData\Local\Temp\6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe
  "C:\Users\Admin\AppData\Local\Temp\6b73ab2cf730e26c8609e57d23e09260d6c74db84f29ae6f786129f7a3b6512b.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1664-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-16-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1664-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1664-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1664-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-3-0x00000000005C0000-0x00000000005D8000-memory.dmp

Filesize
96KB

Download
memory/2204-6-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/2204-7-0x0000000005030000-0x000000000509E000-memory.dmp

Filesize
440KB

Download
memory/2204-5-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2204-4-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-0-0x0000000000340000-0x00000000003F8000-memory.dmp

Filesize
736KB

Download
memory/2204-2-0x0000000004CE0000-0x0000000004D20000-memory.dmp

Filesize
256KB

Download
memory/2204-15-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/2204-1-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads