formbook | 66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37 | Triage

Analysis

max time kernel
125s
max time network
136s
platform
windows10_x64
resource
win10-en-20211208
submitted
28-01-2022 22:19

Sharing

Report Analysis Logs

General

Target

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
Size

711KB
MD5

28996f9f1e4b645eed15f6bc8b51d937
SHA1

190bec54bcc632a8d676ff9df2b4bcec455c25fc
SHA256

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37
SHA512

63a43eb9e28a869d0af32b745e61f39b429179af988592f98dec6e2175a013a442b4e1f1b21fa5ef378f92e9849c62c4dc7e21f169b745000f2bdc603abe1599

Score

10^/10

formbook ge rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ge

Decoy

basakpentamir.com

pilgrimbaits-premium.com

ab5pp.com

fjtts.com

stpelectronics.com

foraol.com

protagonista.info

nigeriasno1datingsite.com

dignity.live

bodyworldholdings.com

01lover.com

wwwjinsha045.com

serverlan.info

themachinevspeople.info

bergencountyautosales.com

hillsidemanor.house

sergiypavlyukphoto.com

abetterforupgrades.date

lokireddygroup.com

il-hotels-review.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2240-129-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/3756-134-0x0000000001670000-0x00000000017BA000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

description	pid	process	target process
PID 3756 set thread context of 2240	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

pid	process
2240	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
2240	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

pid	process
3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

pid	process
3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

description	pid	process	target process
PID 3756 wrote to memory of 4080	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 4080	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 4080	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 4076	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 4076	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 4076	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 3964	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 3964	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 3964	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 1856	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 1856	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 1856	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 2240	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 2240	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 2240	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 2240	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
PID 3756 wrote to memory of 2240	3756	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe	66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe

C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
"C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3756

C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
"C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe"
2⤵
PID:4080

C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
"C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe"
2⤵
PID:4076

C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
"C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe"
2⤵
PID:3964

C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
"C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe"
2⤵
PID:1856

C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe
"C:\Users\Admin\AppData\Local\Temp\66b2b5112b9aa05cd1c1d65b09499aecd3798e90af4cb2bfc7844372b4ba6f37.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2240

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-129-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2240-135-0x0000000001750000-0x0000000001A70000-memory.dmp

Filesize
3.1MB

Download
memory/3756-134-0x0000000001670000-0x00000000017BA000-memory.dmp

Filesize
1.3MB

Download