formbook | 563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100

Analysis

max time kernel
101s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20220722-en
resource tags

arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2022 04:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
Size

648KB
MD5

9dfd7e7140b3e28495885a24e4a6cd3e
SHA1

40be250d044f17e1bcb8d7a77787ab3021304135
SHA256

563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100
SHA512

a82a76988c017f3be88bd2b7ca58d06d738176f8cce37da9b8b7acef93c6ade17496b20bc036d669bfb6d8d5f69f0751c65fb9edb606d902769c0dcca949b9f9

Score

10^/10

formbook sh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

westoffice.net

open-sgi.info

night-club.online

tv17404.info

0472game.com

haberlerim.net

my-web.net

360almeria.com

healthyair.cymru

anxietysupresant.info

domainprodssl1309test.com

tolgakorkmaz.com

laklapos.com

4y978g.info

entitydatabase.info

jese52.party

redstarnepal.com

internationaldrugdiscovery.com

crafting.solutions

lecodedumariage.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1456-135-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1456-137-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

pid	process
1456	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
1456	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

pid process

2340 563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

pid	process
2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

description	pid	process	target process
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
PID 2340 wrote to memory of 1456	2340	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe	563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe

C:\Users\Admin\AppData\Local\Temp\563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
"C:\Users\Admin\AppData\Local\Temp\563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2340

C:\Users\Admin\AppData\Local\Temp\563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe
"C:\Users\Admin\AppData\Local\Temp\563d47d478f8801e30794cb812be024827bd3280de9fbe97308480191f623100.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1456-135-0x0000000000000000-mapping.dmp

Download
memory/1456-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1456-138-0x0000000000AD0000-0x0000000000E1A000-memory.dmp

Filesize
3.3MB

Download
memory/2340-134-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download
memory/2340-136-0x0000000002280000-0x0000000002286000-memory.dmp

Filesize
24KB

Download