formbook | 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1

Analysis

max time kernel
112s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
12-06-2022 19:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
Size

480KB
MD5

5e498f86a7883500fe650de6eca7626c
SHA1

6509de8d6616bdd91d6db83dc058d3a040da95e7
SHA256

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1
SHA512

f1265ccaa2804c6336819cc9a845d34511203a0c029d8658b0cea25a05c44f80f509c9fcda940654c1ae0393feec1d3288df13fd4d66702f6179af38815d78f8

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

gingerexcept.win

greaterchapter.com

villageprintingkidron.net

luba87871.com

moaaberg.com

stewart-handyman.com

casachapi.net

merdadevida.com

schnorres.info

sunnygardenhoabinh.net

123nuisibles.net

skindentists.care

jardinejewellery.net

nicolekeppler.com

guiyishahou.com

sonnenschutzversand.net

aoizy.com

breathetaking.com

immoweb-rembourser.com

westvirginiamarijuana.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook Payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4744-133-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4632 4744 WerFault.exe 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid	pid_target	process	target process
4632	4744	WerFault.exe	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid	process
4744	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
4744	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid	process
4744	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
4744	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid	process
4744	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
4744	1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

pid process

4744 1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe

C:\Users\Admin\AppData\Local\Temp\1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe
"C:\Users\Admin\AppData\Local\Temp\1f09f6eb2b8557f4eff4c52252600e69a9efe1df9ba86d4ad1013ccdd57f5bd1.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4744 -s 900
2⤵
- Program crash
PID:4632

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4744 -ip 4744
1⤵
PID:4948

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4744-133-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4744-134-0x00000000050B1000-0x00000000050B9000-memory.dmp

Filesize
32KB

Download
memory/4744-135-0x00007FFBE0EF0000-0x00007FFBE10E5000-memory.dmp

Filesize
2.0MB

Download
memory/4744-136-0x0000000076F00000-0x00000000770A3000-memory.dmp

Filesize
1.6MB

Download
memory/4744-137-0x000000000D520000-0x000000000D86A000-memory.dmp

Filesize
3.3MB

Download
memory/4744-138-0x0000000076F00000-0x00000000770A3000-memory.dmp

Filesize
1.6MB

Download