formbook | 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1

Analysis

max time kernel
45s
max time network
48s
platform
windows7_x64
resource
win7-20220414-en
submitted
12-06-2022 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
Size

480KB
MD5

5e498f86a7883500fe650de6eca7626c
SHA1

6509de8d6616bdd91d6db83dc058d3a040da95e7
SHA256

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1
SHA512

f1265ccaa2804c6336819cc9a845d34511203a0c029d8658b0cea25a05c44f80f509c9fcda940654c1ae0393feec1d3288df13fd4d66702f6179af38815d78f8

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

gingerexcept.win

greaterchapter.com

villageprintingkidron.net

luba87871.com

moaaberg.com

stewart-handyman.com

casachapi.net

merdadevida.com

schnorres.info

sunnygardenhoabinh.net

123nuisibles.net

skindentists.care

jardinejewellery.net

nicolekeppler.com

guiyishahou.com

sonnenschutzversand.net

aoizy.com

breathetaking.com

immoweb-rembourser.com

westvirginiamarijuana.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/944-58-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid process

944 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid	process
944	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
944	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid	process
944	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
944	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid process

944 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
Suspicious use of UnmapMainImage 1 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid process

944 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

C:\Users\Admin\AppData\Local\Temp\1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
"C:\Users\Admin\AppData\Local\Temp\1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:944

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/944-56-0x0000000075801000-0x0000000075803000-memory.dmp

Filesize
8KB

Download
memory/944-58-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/944-59-0x0000000077690000-0x0000000077839000-memory.dmp

Filesize
1.7MB

Download
memory/944-60-0x0000000077870000-0x00000000779F0000-memory.dmp

Filesize
1.5MB

Download
memory/944-61-0x000000000B950000-0x000000000BC53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads