formbook | 0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4

Analysis

max time kernel
36s
max time network
46s
platform
windows7_x64
resource
win7-20220414-en
submitted
30-05-2022 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe
Size

592KB
MD5

eba12eb17ea697a548abca7bcf4bde71
SHA1

7bb9afa36f50360e562529b6b7cc097ca0f3b962
SHA256

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4
SHA512

3659d873525629feb6b26883d3f1e461d86cf49af88024d6389aae2a1d18181a78b1dad77dbc56ec79223254be1567b80242d2d553768ee8b7d80c53ff38448c

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

albertparedes.com

landofblockchain.com

flowers2wedding.com

onlinespielenundgewinnen.com

f703148488.win

tomtrottine.com

2cha.net

my-c4eye.net

manchestermusicon.com

ezypzymoney.com

gongjiaochewang.com

sarmacontrol.com

sxxjqgcb.com

test-am-mpdm0709036.com

ganeshajayamandiri.com

brilliancegroupltd.com

ballylongfordwindfarm.com

arthuzo.com

vintagecargo360.com

off-duty.ninja

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1192-57-0x0000000000400000-0x0000000000499000-memory.dmp	formbook
behavioral1/memory/1192-58-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

pid process

1192 0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

pid process

1192 0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

pid	process
1192	0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

pid	process
1192	0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

C:\Users\Admin\AppData\Local\Temp\0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe
"C:\Users\Admin\AppData\Local\Temp\0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1192

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1192-56-0x00000000765C1000-0x00000000765C3000-memory.dmp

Filesize
8KB

Download
memory/1192-57-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1192-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1192-59-0x00000000036B1000-0x00000000036C2000-memory.dmp

Filesize
68KB

Download
memory/1192-60-0x00000000779A0000-0x0000000077B49000-memory.dmp

Filesize
1.7MB

Download
memory/1192-61-0x0000000077B80000-0x0000000077D00000-memory.dmp

Filesize
1.5MB

Download
memory/1192-62-0x000000000B880000-0x000000000BB83000-memory.dmp

Filesize
3.0MB

Download