formbook | 8a8cc0347be5e13c27bbb82822db989e8c47896d8e23944a8f5f419f4b6989ee

Analysis

max time kernel
83s
max time network
58s
platform
windows7_x64
resource
win7v20210410
submitted
06-07-2021 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c71f136a10c7c2f067f0a551a48f8ff6.exe
Size

886KB
MD5

c71f136a10c7c2f067f0a551a48f8ff6
SHA1

a3bfac3f71eb6b1e1519d42ec8e01f4aff4d8d5a
SHA256

8a8cc0347be5e13c27bbb82822db989e8c47896d8e23944a8f5f419f4b6989ee
SHA512

11623a0118b5cb78ae77ec9c5f119e2c530614c295b297d27858b188846555918b8fdf4eec8a5fb04952ffa6af35bdc4c584c2805de9e991bf12fb3ca2db1d90

Score

10^/10

formbook rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

http://www.share-event.info/wlns/

Decoy

travelagentngapali.com

cassandraclub.com

yuanhenghuanwei.com

rellimsewil.com

servingsunshine.com

guniverse.net

livingonresidual.net

fourmid.com

batesandmills.com

produtos-servicos.website

pokemonteambuilder.team

ticeye.com

latituderc.com

xn--ok0bv0wfrj.com

strinix.com

nycmama.com

sljy8888.com

lifeinsurancerd.com

osdbapi.com

xydwnzavp.asia

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/532-66-0x000000000041EB50-mapping.dmp	formbook
behavioral1/memory/532-65-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1208 set thread context of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
532	c71f136a10c7c2f067f0a551a48f8ff6.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29
PID 1208 wrote to memory of 532	1208	c71f136a10c7c2f067f0a551a48f8ff6.exe	29

C:\Users\Admin\AppData\Local\Temp\c71f136a10c7c2f067f0a551a48f8ff6.exe
"C:\Users\Admin\AppData\Local\Temp\c71f136a10c7c2f067f0a551a48f8ff6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Users\Admin\AppData\Local\Temp\c71f136a10c7c2f067f0a551a48f8ff6.exe
  "C:\Users\Admin\AppData\Local\Temp\c71f136a10c7c2f067f0a551a48f8ff6.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/532-65-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/532-68-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download
memory/1208-59-0x0000000001010000-0x0000000001011000-memory.dmp

Filesize
4KB

Download
memory/1208-61-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/1208-62-0x0000000000250000-0x000000000025F000-memory.dmp

Filesize
60KB

Download
memory/1208-63-0x0000000007E30000-0x0000000007EAA000-memory.dmp

Filesize
488KB

Download
memory/1208-64-0x0000000000440000-0x0000000000481000-memory.dmp

Filesize
260KB

Download