formbook | 1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5

Analysis

max time kernel
50s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
12-10-2022 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe
Size

939KB
MD5

b2ef30fb8a6e2116cf13adbd70218768
SHA1

66903823fc9f8f6acc93e60e18722520483a8074
SHA256

1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5
SHA512

8bc5fc4a1c868b10418873062646d0d091f95a26324981d4e702ace4dad2274c6a110fdae7e126c6007c30afc1e6ab4cc873d0dfc0b0a9dfff80e0eb8918e33d
SSDEEP

12288:0fEWcBeEn21z+7fM34NMjlbxpanIYVvxUTZu1UFDqB5Gbgnda9LY2uw:AEvBhn2d1huIYfTsDy5GbgndS

Score

10^/10

formbook jr16 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jr16

Decoy

chinmayresort.com

beemine.site

jokihoki.net

spectrum-art.com

lchaxmm.top

garenobizzo.xyz

821riverknoll.com

bluelevelmusic.com

livingroomhotels.com

hilmiozsoysigorta.com

xsgdd.com

rozvezuto.online

inter-ac.online

discotecheitalia.com

judder.xyz

arlington425.site

cn-sk.com

axelarigatomanila.com

qqwe89.site

accography.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1168-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1168-64-0x000000000041F120-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1768 set thread context of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1168	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27
PID 1768 wrote to memory of 1168	1768	1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe	27

C:\Users\Admin\AppData\Local\Temp\1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe
"C:\Users\Admin\AppData\Local\Temp\1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Users\Admin\AppData\Local\Temp\1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe
  "C:\Users\Admin\AppData\Local\Temp\1fa440f5e55258c7787165a37d50587cef16558e9734f44b3fb8a194ab38e7d5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1168-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1168-64-0x000000000041F120-mapping.dmp

Download
memory/1168-65-0x0000000000770000-0x0000000000A73000-memory.dmp

Filesize
3.0MB

Download
memory/1768-54-0x0000000000C60000-0x0000000000D50000-memory.dmp

Filesize
960KB

Download
memory/1768-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1768-56-0x00000000003E0000-0x00000000003FA000-memory.dmp

Filesize
104KB

Download
memory/1768-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1768-58-0x0000000005710000-0x0000000005798000-memory.dmp

Filesize
544KB

Download
memory/1768-59-0x0000000002150000-0x000000000218A000-memory.dmp

Filesize
232KB

Download