formbook | 7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b

General

Target

7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
Size

614KB
MD5

607868824f841ff4b6e24e997228d10d
SHA1

76a91ee65551d7babf8799bbecd9e78c44f47787
SHA256

7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
SHA512

99f856165bcdfeaf6ef3e9f34c9d88cb30e3467f238eef4489ade96024d57d50dd002da63e77dfeb82458b084a1535a7392ac159711337b8694e75822033ebc8
SSDEEP

12288:LajzneBoLmk8bLq4xKNhZAb2drAJuU6ljqdLGtierEWhuV:2jznfL/qLxK7ZAbWAJJ6lGdLGtierEJV

Score

10^/10

formbook btrd rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/4848-11-0x0000000000510000-0x000000000053F000-memory.dmp formbook

resource	yara_rule
behavioral2/memory/4848-11-0x0000000000510000-0x000000000053F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe

description	pid	process	target process
PID 648 set thread context of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
3044	4848	WerFault.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
1460	4848	WerFault.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe

description	pid	process	target process
PID 648 wrote to memory of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
PID 648 wrote to memory of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
PID 648 wrote to memory of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
PID 648 wrote to memory of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
PID 648 wrote to memory of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
PID 648 wrote to memory of 4848	648	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
PID 4848 wrote to memory of 3044	4848	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	WerFault.exe
PID 4848 wrote to memory of 3044	4848	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	WerFault.exe
PID 4848 wrote to memory of 3044	4848	7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
"C:\Users\Admin\AppData\Local\Temp\7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:648

C:\Users\Admin\AppData\Local\Temp\7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe
"C:\Users\Admin\AppData\Local\Temp\7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 184
3⤵
- Program crash
PID:3044

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4848 -s 184
3⤵
- Program crash
PID:1460

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1420 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
1⤵
PID:3956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 4848 -ip 4848
1⤵
PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/648-6-0x00000000053A0000-0x00000000053AA000-memory.dmp

Filesize
40KB

Download
memory/648-1-0x0000000000780000-0x0000000000820000-memory.dmp

Filesize
640KB

Download
memory/648-2-0x0000000005760000-0x0000000005D04000-memory.dmp

Filesize
5.6MB

Download
memory/648-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/648-4-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/648-5-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/648-0-0x0000000074F3E000-0x0000000074F3F000-memory.dmp

Filesize
4KB

Download
memory/648-7-0x00000000056F0000-0x0000000005752000-memory.dmp

Filesize
392KB

Download
memory/648-8-0x0000000005F50000-0x0000000005FEC000-memory.dmp

Filesize
624KB

Download
memory/648-9-0x00000000053E0000-0x00000000053E8000-memory.dmp

Filesize
32KB

Download
memory/648-13-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/648-15-0x0000000074F30000-0x00000000756E0000-memory.dmp

Filesize
7.7MB

Download
memory/4848-11-0x0000000000510000-0x000000000053F000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads