formbook | 0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4

Analysis

max time kernel
143s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30-05-2022 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe
Size

592KB
MD5

eba12eb17ea697a548abca7bcf4bde71
SHA1

7bb9afa36f50360e562529b6b7cc097ca0f3b962
SHA256

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4
SHA512

3659d873525629feb6b26883d3f1e461d86cf49af88024d6389aae2a1d18181a78b1dad77dbc56ec79223254be1567b80242d2d553768ee8b7d80c53ff38448c

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

albertparedes.com

landofblockchain.com

flowers2wedding.com

onlinespielenundgewinnen.com

f703148488.win

tomtrottine.com

2cha.net

my-c4eye.net

manchestermusicon.com

ezypzymoney.com

gongjiaochewang.com

sarmacontrol.com

sxxjqgcb.com

test-am-mpdm0709036.com

ganeshajayamandiri.com

brilliancegroupltd.com

ballylongfordwindfarm.com

arthuzo.com

vintagecargo360.com

off-duty.ninja

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/5020-133-0x0000000000400000-0x000000000042A000-memory.dmp	formbook
behavioral2/memory/5020-132-0x0000000000400000-0x0000000000499000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

pid	process
5020	0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe
5020	0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

pid process

5020 0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe

C:\Users\Admin\AppData\Local\Temp\0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe
"C:\Users\Admin\AppData\Local\Temp\0a1c1f4b126157a9ab7e3b90718673794182bba279a567fc4204734383b7a8a4.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5020

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/5020-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/5020-132-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/5020-134-0x00000000031E0000-0x00000000032BB000-memory.dmp

Filesize
876KB

Download
memory/5020-135-0x00007FF819C70000-0x00007FF819E65000-memory.dmp

Filesize
2.0MB

Download
memory/5020-136-0x0000000077BD0000-0x0000000077D73000-memory.dmp

Filesize
1.6MB

Download
memory/5020-137-0x000000000D770000-0x000000000DABA000-memory.dmp

Filesize
3.3MB

Download
memory/5020-138-0x00000000031E0000-0x00000000032BB000-memory.dmp

Filesize
876KB

Download
memory/5020-139-0x0000000077BD0000-0x0000000077D73000-memory.dmp

Filesize
1.6MB

Download