formbook | c9abcfad837a889855fac86bb376f11a0383d2cd956c13b41546e62dd55fa199

General

Target

cca9sXT33VsAEdu.exe
Size

582KB
MD5

5824d7b76dcd8c106392e0739132a724
SHA1

560fe3730f004369e25f455227a1a580c87c0154
SHA256

c9abcfad837a889855fac86bb376f11a0383d2cd956c13b41546e62dd55fa199
SHA512

36964f2cb0f979204b9638d4f1c6adba5c3b58c23d53029061b6f1f1910ffab124a14772b0673ffe978f646ad9235970e1d1cfbb0a9597371818481f2fd00e8e
SSDEEP

12288:HfR/iFIsPAb/z/rNj3qPpZMshEtS0XEKz1MciRtiU9TAv9TiuQLsKOQwk58e/:/RkIKyb5j3qxOsAEKhMc8XsF2eKOQj

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/428-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/428-16-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral2/memory/2864-22-0x0000000000770000-0x000000000079F000-memory.dmp	formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

cca9sXT33VsAEdu.execca9sXT33VsAEdu.exeraserver.exe

description	pid	process	target process
PID 3036 set thread context of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 428 set thread context of 3436	428	cca9sXT33VsAEdu.exe	Explorer.EXE
PID 2864 set thread context of 3436	2864	raserver.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 56 IoCs

Processes:

cca9sXT33VsAEdu.exeraserver.exe

pid	process
428	cca9sXT33VsAEdu.exe
428	cca9sXT33VsAEdu.exe
428	cca9sXT33VsAEdu.exe
428	cca9sXT33VsAEdu.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe
2864	raserver.exe

Suspicious behavior: MapViewOfSection 5 IoCs

Processes:

cca9sXT33VsAEdu.exeraserver.exe

pid process

428 cca9sXT33VsAEdu.exe
428 cca9sXT33VsAEdu.exe
428 cca9sXT33VsAEdu.exe
2864 raserver.exe
2864 raserver.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

cca9sXT33VsAEdu.exeraserver.exe

description pid process

Token: SeDebugPrivilege 428 cca9sXT33VsAEdu.exe
Token: SeDebugPrivilege 2864 raserver.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3436 Explorer.EXE

description	pid	process
Token: SeDebugPrivilege	428	cca9sXT33VsAEdu.exe
Token: SeDebugPrivilege	2864	raserver.exe

pid	process
3436	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

cca9sXT33VsAEdu.exeExplorer.EXEraserver.exe

description	pid	process	target process
PID 3036 wrote to memory of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 3036 wrote to memory of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 3036 wrote to memory of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 3036 wrote to memory of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 3036 wrote to memory of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 3036 wrote to memory of 428	3036	cca9sXT33VsAEdu.exe	cca9sXT33VsAEdu.exe
PID 3436 wrote to memory of 2864	3436	Explorer.EXE	raserver.exe
PID 3436 wrote to memory of 2864	3436	Explorer.EXE	raserver.exe
PID 3436 wrote to memory of 2864	3436	Explorer.EXE	raserver.exe
PID 2864 wrote to memory of 5000	2864	raserver.exe	cmd.exe
PID 2864 wrote to memory of 5000	2864	raserver.exe	cmd.exe
PID 2864 wrote to memory of 5000	2864	raserver.exe	cmd.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3436

C:\Users\Admin\AppData\Local\Temp\cca9sXT33VsAEdu.exe
"C:\Users\Admin\AppData\Local\Temp\cca9sXT33VsAEdu.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3036

C:\Users\Admin\AppData\Local\Temp\cca9sXT33VsAEdu.exe
"C:\Users\Admin\AppData\Local\Temp\cca9sXT33VsAEdu.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:428

C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2864

C:\Windows\SysWOW64\cmd.exe
/c del "C:\Users\Admin\AppData\Local\Temp\cca9sXT33VsAEdu.exe"
3⤵
PID:5000

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/428-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-16-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/428-17-0x0000000000E10000-0x0000000000E25000-memory.dmp

Filesize
84KB

Download
memory/428-14-0x0000000001290000-0x00000000015DA000-memory.dmp

Filesize
3.3MB

Download
memory/2864-22-0x0000000000770000-0x000000000079F000-memory.dmp

Filesize
188KB

Download
memory/2864-21-0x0000000000930000-0x000000000094F000-memory.dmp

Filesize
124KB

Download
memory/2864-19-0x0000000000930000-0x000000000094F000-memory.dmp

Filesize
124KB

Download
memory/3036-5-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3036-0-0x0000000074C7E000-0x0000000074C7F000-memory.dmp

Filesize
4KB

Download
memory/3036-9-0x00000000065E0000-0x0000000006656000-memory.dmp

Filesize
472KB

Download
memory/3036-10-0x00000000068A0000-0x000000000693C000-memory.dmp

Filesize
624KB

Download
memory/3036-7-0x00000000057E0000-0x00000000057E8000-memory.dmp

Filesize
32KB

Download
memory/3036-13-0x0000000074C70000-0x0000000075420000-memory.dmp

Filesize
7.7MB

Download
memory/3036-6-0x0000000005610000-0x0000000005622000-memory.dmp

Filesize
72KB

Download
memory/3036-8-0x00000000057F0000-0x00000000057FC000-memory.dmp

Filesize
48KB

Download
memory/3036-4-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/3036-1-0x0000000000930000-0x00000000009C6000-memory.dmp

Filesize
600KB

Download
memory/3036-3-0x0000000005390000-0x0000000005422000-memory.dmp

Filesize
584KB

Download
memory/3036-2-0x0000000005A30000-0x0000000005FD4000-memory.dmp

Filesize
5.6MB

Download
memory/3436-18-0x000000000AD90000-0x000000000AF01000-memory.dmp

Filesize
1.4MB

Download
memory/3436-25-0x0000000003090000-0x000000000316F000-memory.dmp

Filesize
892KB

Download
memory/3436-26-0x0000000003090000-0x000000000316F000-memory.dmp

Filesize
892KB

Download
memory/3436-29-0x0000000003090000-0x000000000316F000-memory.dmp

Filesize
892KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads