formbook | 380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0

General

Target

wkUOj276sJEoMFq.exe
Size

594KB
MD5

34b8885c737fa78ecc68c1bf0628f8c0
SHA1

32936d1bce243a085c81147f1d569a1c20c44bb2
SHA256

380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0
SHA512

ed336237c0f5c038a1ffd2646b38c1d4cd6f4133e2be0f645f25a9e0b844c3f8f69aa6bcde18a072cc57da434006914ded57e2779084e0244dbbf44a3f193196
SSDEEP

12288:zQ3yvK/bBMqQOa/71j+zmxnHJaA8YPGTU+aJczbxLedJJ4iav2hcll0WEm:+yqBMqQOiLnoYeyqzbxuv4im2hcT0fm

Score

10^/10

formbook cr12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cr12

Decoy

nff1291.com

satyainfra.com

hechiceradeamores.com

jfgminimalist.com

qut68q.com

pedandmore.com

sugardefender24-usa.us

somalse.com

lotusluxecandle.com

certificadobassetpro.com

veryaroma.com

thehistoryofindia.in

33155.cc

terastudy.net

84031.vip

heilsambegegnen.com

horizon-rg.info

junongpei.website

winstons.club

henslotalt.us

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/448-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/448-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/228-23-0x0000000000880000-0x00000000008AF000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

wkUOj276sJEoMFq.exewkUOj276sJEoMFq.exeraserver.exe

description	pid	process	target process
PID 2660 set thread context of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 448 set thread context of 3388	448	wkUOj276sJEoMFq.exe	Explorer.EXE
PID 228 set thread context of 3388	228	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

wkUOj276sJEoMFq.exeraserver.exe

pid	process
448	wkUOj276sJEoMFq.exe
448	wkUOj276sJEoMFq.exe
448	wkUOj276sJEoMFq.exe
448	wkUOj276sJEoMFq.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe
228	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

wkUOj276sJEoMFq.exeraserver.exe

pid process

448 wkUOj276sJEoMFq.exe
448 wkUOj276sJEoMFq.exe
448 wkUOj276sJEoMFq.exe
228 raserver.exe
228 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

wkUOj276sJEoMFq.exeraserver.exe

description pid process

Token: SeDebugPrivilege 448 wkUOj276sJEoMFq.exe
Token: SeDebugPrivilege 228 raserver.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3388 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	448	wkUOj276sJEoMFq.exe
Token: SeDebugPrivilege	228	raserver.exe

pid	process
3388	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

wkUOj276sJEoMFq.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 2660 wrote to memory of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 2660 wrote to memory of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 2660 wrote to memory of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 2660 wrote to memory of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 2660 wrote to memory of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 2660 wrote to memory of 448	2660	wkUOj276sJEoMFq.exe	wkUOj276sJEoMFq.exe
PID 3388 wrote to memory of 228	3388	Explorer.EXE	raserver.exe
PID 3388 wrote to memory of 228	3388	Explorer.EXE	raserver.exe
PID 3388 wrote to memory of 228	3388	Explorer.EXE	raserver.exe
PID 228 wrote to memory of 4360	228	raserver.exe	cmd.exe
PID 228 wrote to memory of 4360	228	raserver.exe	cmd.exe
PID 228 wrote to memory of 4360	228	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3388

C:\Users\Admin\AppData\Local\Temp\wkUOj276sJEoMFq.exe
"C:\Users\Admin\AppData\Local\Temp\wkUOj276sJEoMFq.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2660

C:\Users\Admin\AppData\Local\Temp\wkUOj276sJEoMFq.exe
"C:\Users\Admin\AppData\Local\Temp\wkUOj276sJEoMFq.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:448

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\wkUOj276sJEoMFq.exe"
3⤵
PID:4360

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-23-0x0000000000880000-0x00000000008AF000-memory.dmp

Filesize
188KB

Download
memory/228-22-0x00000000009E0000-0x00000000009FF000-memory.dmp

Filesize
124KB

Download
memory/228-19-0x00000000009E0000-0x00000000009FF000-memory.dmp

Filesize
124KB

Download
memory/448-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/448-17-0x0000000000DC0000-0x0000000000DD4000-memory.dmp

Filesize
80KB

Download
memory/448-14-0x0000000001240000-0x000000000158A000-memory.dmp

Filesize
3.3MB

Download
memory/2660-6-0x0000000005290000-0x00000000052A6000-memory.dmp

Filesize
88KB

Download
memory/2660-1-0x0000000000450000-0x00000000004EA000-memory.dmp

Filesize
616KB

Download
memory/2660-9-0x0000000006140000-0x00000000061B6000-memory.dmp

Filesize
472KB

Download
memory/2660-10-0x0000000009130000-0x00000000091CC000-memory.dmp

Filesize
624KB

Download
memory/2660-7-0x0000000006110000-0x000000000611C000-memory.dmp

Filesize
48KB

Download
memory/2660-13-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/2660-0-0x000000007501E000-0x000000007501F000-memory.dmp

Filesize
4KB

Download
memory/2660-5-0x0000000075010000-0x00000000757C0000-memory.dmp

Filesize
7.7MB

Download
memory/2660-4-0x00000000050A0000-0x00000000050AA000-memory.dmp

Filesize
40KB

Download
memory/2660-8-0x0000000006120000-0x0000000006130000-memory.dmp

Filesize
64KB

Download
memory/2660-3-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/2660-2-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/3388-18-0x0000000009010000-0x00000000091B9000-memory.dmp

Filesize
1.7MB

Download
memory/3388-25-0x0000000009010000-0x00000000091B9000-memory.dmp

Filesize
1.7MB

Download
memory/3388-28-0x00000000036B0000-0x00000000037A9000-memory.dmp

Filesize
996KB

Download
memory/3388-29-0x00000000036B0000-0x00000000037A9000-memory.dmp

Filesize
996KB

Download
memory/3388-32-0x00000000036B0000-0x00000000037A9000-memory.dmp

Filesize
996KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads