formbook | 0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878 | Triage

Analysis

max time kernel
184s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
09-05-2022 00:40

Sharing

Report Analysis Logs

General

Target

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
Size

1.2MB
MD5

a96b7c63e619507c2e2f0d6578c64a04
SHA1

8901dbed4ad6f73fc0a9ba1682bbffb6808e429f
SHA256

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878
SHA512

0dfe34d046341545a468e842d7df09a386fff1e96fc1f4d400a6c47c5a73dd9ca5ac0655087fe4ee078aee81d7b993499a3c2360d503020cd5ab05bb9c6b02e1

Score

10^/10

formbook 3nop rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

bakecakesandmore.com

shenglisuoye.com

chinapopfactory.com

ynlrhd.com

liqourforyou.com

leonqamil.com

meccafon.com

online-marketing-strategie.biz

rbfxi.com

frseyb.info

leyu91.com

hotsmail.today

beepot.tech

dunaemmetmobility.com

sixpenceworkshop.com

incrediblefavorcoaching.com

pofo.info

yanshudaili.com

yellowbrickwedding.com

paintpartyblueprint.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3340-133-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Drops startup file 1 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SgrmLpac.url	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

description	pid	process	target process
PID 1692 set thread context of 3340	1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

pid	process
3340	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
3340	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

pid process

1692 0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

pid	process
1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

Suspicious use of SendNotifyMessage 3 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

pid	process
1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

description	pid	process	target process
PID 1692 wrote to memory of 3340	1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
PID 1692 wrote to memory of 3340	1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
PID 1692 wrote to memory of 3340	1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
PID 1692 wrote to memory of 3340	1692	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe	0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe

C:\Users\Admin\AppData\Local\Temp\0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
"C:\Users\Admin\AppData\Local\Temp\0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Users\Admin\AppData\Local\Temp\0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe
"C:\Users\Admin\AppData\Local\Temp\0bfad235516b2334cb08d5a91165ab3cdbbf0dc40caa8cc51a8c80308b78c878.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1692-131-0x00000000049F0000-0x0000000004A1D000-memory.dmp

Filesize
180KB

Download
memory/3340-130-0x0000000000000000-mapping.dmp

Download
memory/3340-132-0x00000000017C0000-0x0000000001B0A000-memory.dmp

Filesize
3.3MB

Download
memory/3340-133-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download