formbook | 7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-en-20211208
submitted
09/02/2022, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cb5cd9f8250eaf3861f8774f431032b4.exe
Size

400KB
MD5

cb5cd9f8250eaf3861f8774f431032b4
SHA1

1de8f273480f80f18d070f1f71aa722923759137
SHA256

7357d3e9a33b53dcaf335fecb11100acf0fbeeec2ebf668634de7cd1ba931ae1
SHA512

f7b4bc3996fee5fa1606a85f3d3cce6a1dbd6f14a133c81db0061b91528fc36c9856bd684b5d111ad387fff539720391fc2afd52c3b5803a7e192471a21e74cc

Score

10^/10

formbook k2i4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2i4

Decoy

apehangersbikersgang.com

lhcgrou.com

diveidf.com

timtas.store

jadebody.club

iamjbrussell.com

fwfuv.icu

picchealth.net

batuair.com

z58609.com

punarecotech.com

a-oct.com

xn--wmq0c1qt9mcxhxjkp16a.top

district99.net

5dcoding.com

aripagripoff.biz

abtheagent.com

betterskincareco.com

jsskylight.com

deviseoffice.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1756-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1108 set thread context of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1756	cb5cd9f8250eaf3861f8774f431032b4.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29
PID 1108 wrote to memory of 1756	1108	cb5cd9f8250eaf3861f8774f431032b4.exe	29

C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe
"C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe
  "C:\Users\Admin\AppData\Local\Temp\cb5cd9f8250eaf3861f8774f431032b4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1756

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-55-0x0000000073F3E000-0x0000000073F3F000-memory.dmp

Filesize
4KB

Download
memory/1108-56-0x0000000001070000-0x00000000010DA000-memory.dmp

Filesize
424KB

Download
memory/1108-57-0x0000000075421000-0x0000000075423000-memory.dmp

Filesize
8KB

Download
memory/1108-58-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/1108-59-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/1108-60-0x0000000005080000-0x00000000050EA000-memory.dmp

Filesize
424KB

Download
memory/1756-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1756-64-0x00000000009A0000-0x0000000000CA3000-memory.dmp

Filesize
3.0MB

Download