formbook | 218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321

Analysis

max time kernel
106s
max time network
24s
platform
windows7_x64
resource
win7-en-20210920
submitted
30-09-2021 11:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New order and image.exe
Size

326KB
MD5

d7dd8868b5318b516d22930a624d096d
SHA1

4a01fcbced1e4234bfd10ea8980b6c65684f3b28
SHA256

218a43f5f1a1bb3a7974fe8fd0532829b1b858dec3c8d6bc2a5835a6bb735321
SHA512

1f93982b39ff3142c7248bfd5c4ffe3d05ecb4d8a0f0a89edd0f22d96bb9d2eaa1af6420623458cafd29a50d6388f829a9e931cd93bc8a594464aa0ac5071ff8

Score

10^/10

formbook dn7r rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dn7r

http://www.yourherogarden.net/dn7r/

Decoy

eventphotographerdfw.com

thehalalcoinstaking.com

philipfaziofineart.com

intercoh.com

gaiaseyephotography.com

chatbotforrealestate.com

lovelancemg.com

marlieskasberger.com

elcongoenespanol.info

lepirecredit.com

distribution-concept.com

e99game.com

exit11festival.com

twodollartoothbrushclub.com

cocktailsandlawn.com

performimprove.network

24horas-telefono-11840.com

cosmossify.com

kellenleote.com

perovskite.energy

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1080-55-0x0000000000400000-0x0000000000881000-memory.dmp	formbook
behavioral1/memory/1080-54-0x0000000000250000-0x000000000027F000-memory.dmp	formbook
behavioral1/memory/612-57-0x0000000000200000-0x0000000000260000-memory.dmp	formbook

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

612 1080 WerFault.exe New order and image.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

WerFault.exe

pid process

612 WerFault.exe
612 WerFault.exe
612 WerFault.exe
612 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

612 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 612 WerFault.exe

pid	pid_target	process	target process
612	1080	WerFault.exe	New order and image.exe

pid	process
612	WerFault.exe
612	WerFault.exe
612	WerFault.exe
612	WerFault.exe

pid	process
612	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	612	WerFault.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

New order and image.exe

description	pid	process	target process
PID 1080 wrote to memory of 612	1080	New order and image.exe	WerFault.exe
PID 1080 wrote to memory of 612	1080	New order and image.exe	WerFault.exe
PID 1080 wrote to memory of 612	1080	New order and image.exe	WerFault.exe
PID 1080 wrote to memory of 612	1080	New order and image.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\New order and image.exe
"C:\Users\Admin\AppData\Local\Temp\New order and image.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1080

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1080 -s 72
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:612

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/612-53-0x0000000000000000-mapping.dmp

Download
memory/612-56-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/612-57-0x0000000000200000-0x0000000000260000-memory.dmp

Filesize
384KB

Download
memory/1080-55-0x0000000000400000-0x0000000000881000-memory.dmp

Filesize
4.5MB

Download
memory/1080-54-0x0000000000250000-0x000000000027F000-memory.dmp

Filesize
188KB

Download