formbook | fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
06-08-2022 06:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
Size

320KB
MD5

f6c8a8e5346a698e0733248a0ec6e323
SHA1

6e0be3bcd53afae69635fdecb1b7f350f9306563
SHA256

fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba
SHA512

076578e7d60d26215fb7f43b58873abda5ee83bf31d8969b0a0ca9a8bdf91774487ece9d6ffb6a32c57154269d84f9ac2c3926bc76e944b87c59fc9f2d5dfd84

Score

10^/10

formbook eni9 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

eni9

Decoy

serenatutino.com

oshuncleaningservices.com

themodernring.com

elhoodurbano.com

borntobeabrand.com

wingene168.com

raising.cloud

kumen.store

azdistribution.store

myrecordingapp.com

minshu.info

zhongxiangxinge.com

linentemptation.com

corealestatevideo.com

carpection.com

mompreneur.services

ent34.com

udicoin.net

trulyclassical.com

paraalemdatela.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2376-134-0x0000000000800000-0x000000000082F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe

description	pid	process	target process
PID 1816 set thread context of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1996 2376 WerFault.exe fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe

pid	pid_target	process	target process
1996	2376	WerFault.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe

description	pid	process	target process
PID 1816 wrote to memory of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
PID 1816 wrote to memory of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
PID 1816 wrote to memory of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
PID 1816 wrote to memory of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
PID 1816 wrote to memory of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
PID 1816 wrote to memory of 2376	1816	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe	fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe

C:\Users\Admin\AppData\Local\Temp\fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
"C:\Users\Admin\AppData\Local\Temp\fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe
"C:\Users\Admin\AppData\Local\Temp\fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba.exe"
2⤵
PID:2376

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2376 -s 184
3⤵
- Program crash
PID:1996

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2376 -ip 2376
1⤵
PID:1272

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1816-130-0x0000000000E90000-0x0000000000EE4000-memory.dmp

Filesize
336KB

Download
memory/1816-131-0x0000000005D50000-0x00000000062F4000-memory.dmp

Filesize
5.6MB

Download
memory/2376-132-0x0000000000000000-mapping.dmp

Download
memory/2376-134-0x0000000000800000-0x000000000082F000-memory.dmp

Filesize
188KB

Download