formbook | ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431

Analysis

max time kernel
90s
max time network
105s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2022 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
Size

832KB
MD5

b801c9cfb9c362113591d0c7510be488
SHA1

7ba12b0c2373a7420043ab9ea207ffe43ab223d2
SHA256

ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431
SHA512

cc9a2b47345c2cc97b386005a575a18cf68dc4362a044c957dc833957c8a6e80ebe1655812a69635dd969edd7412484cba0107e5d0a9fae808f6bc6f91d40a79
SSDEEP

12288:nfz4Stx/uXgbvbQaglEYlHkDwyfqUUcwIlR/HKsAqxiS25cdk:nfXtx/EgbbXatpGpiUUulFq7qwwk

Score

10^/10

formbook p94a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

wishgrove.com

parqueveiculos.com

spiderwebs.online

chulkanadham.com

cdtuan.net

zxazm.com

payment6528832.xyz

fengtaiol.com

bffsmovie.com

aliceseagerfitness.com

garisluruskonsulindo.website

analytical-gutter.net

ahcq8.com

fenyoga.com

ecleptic.cat

conjurecrafts.com

aquaway.date

apenpokkenschoonmaakbedrijf.com

zgramr.top

boweknives.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/748-139-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe

description	pid	process	target process
PID 4936 set thread context of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe

pid	process
748	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
748	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe

description	pid	process	target process
PID 4936 wrote to memory of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
PID 4936 wrote to memory of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
PID 4936 wrote to memory of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
PID 4936 wrote to memory of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
PID 4936 wrote to memory of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
PID 4936 wrote to memory of 748	4936	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe	ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe

C:\Users\Admin\AppData\Local\Temp\ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
"C:\Users\Admin\AppData\Local\Temp\ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4936

C:\Users\Admin\AppData\Local\Temp\ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe
"C:\Users\Admin\AppData\Local\Temp\ec50585dab84864994cf600d29f959c3a510b149b6c8a379e077376d6ceed431.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-138-0x0000000000000000-mapping.dmp

Download
memory/748-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/748-140-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download
memory/4936-132-0x0000000000D90000-0x0000000000E66000-memory.dmp

Filesize
856KB

Download
memory/4936-133-0x0000000005CF0000-0x0000000006294000-memory.dmp

Filesize
5.6MB

Download
memory/4936-134-0x0000000005740000-0x00000000057D2000-memory.dmp

Filesize
584KB

Download
memory/4936-135-0x00000000056B0000-0x00000000056BA000-memory.dmp

Filesize
40KB

Download
memory/4936-136-0x0000000009060000-0x00000000090FC000-memory.dmp

Filesize
624KB

Download
memory/4936-137-0x0000000009100000-0x0000000009166000-memory.dmp

Filesize
408KB

Download