formbook | 4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127

Analysis

max time kernel
91s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
resource tags

arch:x64arch:x86image:win10v2004-20220414-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2022 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
Size

640KB
MD5

ab747938ae2d719cfc8122a2ef9bf7b5
SHA1

6a73acab4ecca124433a13c25cc9f2c2a9fded00
SHA256

4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127
SHA512

2bc5d93a802d03c484a207853bfad2f562c73bf2e56445005b96dbb718f9621c88eb17dc961b97e313e32413e619891b3d5a74b994730c27fc53859a8c45057b

Score

10^/10

formbook h29 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

h29

Decoy

apmurmarketing.online

gayoo.link

xueyesanxia.com

901propertyhub.com

bennandninaswedding.com

liembarbershop.com

hairdroplabs.com

shipperai.com

assaffish.com

gigantesdalimpeza.com

handyandync.com

kalenderonlinegestalten.com

rdlldl.info

kjqzxo.com

electronics-online.co.uk

dghgqi4sns.com

justanothercoach.com

chaoscreates.com

agrobalear.net

322zbr.info

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1036-133-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1036-136-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

pid	process
1036	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
1036	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

pid process

2496 4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

pid	process
2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

description	pid	process	target process
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
PID 2496 wrote to memory of 1036	2496	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe	4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe

C:\Users\Admin\AppData\Local\Temp\4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
"C:\Users\Admin\AppData\Local\Temp\4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2496

C:\Users\Admin\AppData\Local\Temp\4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe
"C:\Users\Admin\AppData\Local\Temp\4fe1ff24a1755279e09706f0b52dd1a1dbbdfed3490c29e5159fd1e8f21d3127.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1036-133-0x0000000000000000-mapping.dmp

Download
memory/1036-135-0x0000000000B60000-0x0000000000EAA000-memory.dmp

Filesize
3.3MB

Download
memory/1036-136-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/2496-132-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download
memory/2496-134-0x0000000002250000-0x0000000002256000-memory.dmp

Filesize
24KB

Download