formbook | 25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff

Analysis

max time kernel
173s
max time network
208s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
11-06-2022 18:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff.exe
Size

711KB
MD5

008ded486e2d14f6f176ad9d33a00e96
SHA1

94cf6de5d207b6b724ea43dc5fa7e64a44e8b8c0
SHA256

25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff
SHA512

2728ae8eca3bd74c42a44d318d1cc09ceffa9bb06fec9fa17406e8d5dd6f783bd8bb2c70b08f8b822e613b5f644dacff211dcd8a674f07771f6e8dd0d34f567f

Score

10^/10

formbook fr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

Decoy

koto-saitoshika.com

hamadcartoon.com

findmyperson.com

greenislandspice.com

tzcp5.com

elyfornoville.com

fuqinjiehuodong.com

psog.biz

comercializadoratancitaro.com

marketmuseum.com

yunbaobit.com

weddingvwcamperhire.com

kinetsi.com

garmentsteamersguide.com

firstchoicecorporatehousing.com

musicianunity.com

thetrustsummit.com

xn--v52b27q.com

crismar.net

cawyhy.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3908-132-0x0000000000D40000-0x0000000000DF6000-memory.dmp	formbook

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	3908	WerFault.exe	63

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3908	25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff.exe
3908	25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff.exe

C:\Users\Admin\AppData\Local\Temp\25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff.exe
"C:\Users\Admin\AppData\Local\Temp\25bb121fc185b163d00f9f76e52c39a0ffb40db98383fe7ddf8bebef91edd0ff.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3908
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3908 -s 424
  2⤵
  - Program crash
  PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3908 -ip 3908
1⤵
PID:3220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3908-130-0x0000000000D40000-0x0000000000DF6000-memory.dmp

Filesize
728KB

Download
memory/3908-131-0x0000000009C20000-0x0000000009F6A000-memory.dmp

Filesize
3.3MB

Download
memory/3908-132-0x0000000000D40000-0x0000000000DF6000-memory.dmp

Filesize
728KB

Download