formbook | 4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353

Analysis

max time kernel
157s
max time network
168s
platform
windows10_x64
resource
win10-20220414-en
submitted
09-06-2022 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
Size

688KB
MD5

99912794ef989327c3a99a7afd6439ad
SHA1

aaee4dbefc9ce54cf45e16b8a921ef16681ee5b5
SHA256

4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353
SHA512

64c9a72beeff481f5ac0656e7b7f64a1e514a224eb236ff9c9dee03696af0f5f043dc0ef8236d6493ca91d91ae2643c4ac45e0fd9aaf854bd290f43bac244188

Score

10^/10

formbook fw02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/3008-187-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/3008-188-0x000000000041F150-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

description	pid	process	target process
PID 2956 set thread context of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

pid	process
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
3008	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
3008	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

description pid process

Token: SeDebugPrivilege 2956 4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

description	pid	process
Token: SeDebugPrivilege	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

description	pid	process	target process
PID 2956 wrote to memory of 5048	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 5048	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 5048	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
PID 2956 wrote to memory of 3008	2956	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe	4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe

C:\Users\Admin\AppData\Local\Temp\4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
"C:\Users\Admin\AppData\Local\Temp\4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2956

C:\Users\Admin\AppData\Local\Temp\4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
"C:\Users\Admin\AppData\Local\Temp\4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe"
2⤵
PID:5048

C:\Users\Admin\AppData\Local\Temp\4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe
"C:\Users\Admin\AppData\Local\Temp\4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3008

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2956-117-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-118-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-119-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-120-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-121-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-122-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-123-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-124-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-125-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-126-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-127-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-128-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-129-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-130-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-131-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-132-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-133-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-134-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-135-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-136-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-137-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-138-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-139-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-140-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-141-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-142-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-143-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-144-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-145-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-146-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-147-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-148-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-149-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-150-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-151-0x0000000000640000-0x00000000006F0000-memory.dmp

Filesize
704KB

Download
memory/2956-152-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-153-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-154-0x00000000054A0000-0x000000000599E000-memory.dmp

Filesize
5.0MB

Download
memory/2956-155-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-156-0x0000000005040000-0x00000000050D2000-memory.dmp

Filesize
584KB

Download
memory/2956-157-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-158-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-159-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-160-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-161-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-162-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-163-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-164-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-165-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-166-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-167-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-168-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-169-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-170-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-171-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-172-0x00000000029E0000-0x00000000029EA000-memory.dmp

Filesize
40KB

Download
memory/2956-173-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-174-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-175-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-176-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-177-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-178-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-179-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-180-0x0000000004FE0000-0x0000000004FF6000-memory.dmp

Filesize
88KB

Download
memory/2956-181-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/2956-182-0x0000000008A30000-0x0000000008ACC000-memory.dmp

Filesize
624KB

Download
memory/2956-183-0x0000000008B90000-0x0000000008C22000-memory.dmp

Filesize
584KB

Download
memory/2956-184-0x0000000000EA0000-0x0000000000F06000-memory.dmp

Filesize
408KB

Download
memory/2956-185-0x0000000000BD0000-0x0000000000C04000-memory.dmp

Filesize
208KB

Download
memory/2956-186-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3008-188-0x000000000041F150-mapping.dmp

Download
memory/3008-189-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-190-0x0000000077820000-0x00000000779AE000-memory.dmp

Filesize
1.6MB

Download
memory/3008-195-0x0000000001390000-0x00000000016B0000-memory.dmp

Filesize
3.1MB

Download
memory/3008-196-0x0000000001390000-0x00000000016B0000-memory.dmp

Filesize
3.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads