formbook | 27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162

Analysis

max time kernel
55s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
18-10-2022 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
Size

988KB
MD5

1af8f4ac0eb2cde05f545828c3f9f04f
SHA1

7a6882b53d98889f815e2eae79a478cb4e6b22d4
SHA256

27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162
SHA512

2906e8dbb7b6859a156bafa01d3d07de50a84173519933c63c1066dd9124ca595e716d710f7b21ae07a21136c9a296c8bde1b2c0fdc41ace3b30ce942818557b
SSDEEP

12288:ur1cA2iNaxfvX1QmLIf5hjKEM17GQ7F9cmLy0HAgwpsJDWhqWfu:A1S1wbKr7bcKesJChBf

Score

10^/10

formbook p94a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

wishgrove.com

parqueveiculos.com

spiderwebs.online

chulkanadham.com

cdtuan.net

zxazm.com

payment6528832.xyz

fengtaiol.com

bffsmovie.com

aliceseagerfitness.com

garisluruskonsulindo.website

analytical-gutter.net

ahcq8.com

fenyoga.com

ecleptic.cat

conjurecrafts.com

aquaway.date

apenpokkenschoonmaakbedrijf.com

zgramr.top

boweknives.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1904-64-0x000000000041F0F0-mapping.dmp	formbook
behavioral1/memory/1904-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

description	pid	process	target process
PID 968 set thread context of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

pid process

1904 27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

pid	process
1904	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

description	pid	process	target process
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
PID 968 wrote to memory of 1904	968	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe	27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe

C:\Users\Admin\AppData\Local\Temp\27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
"C:\Users\Admin\AppData\Local\Temp\27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:968

C:\Users\Admin\AppData\Local\Temp\27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe
"C:\Users\Admin\AppData\Local\Temp\27f2087a1eb0f0ad0178f59eb8924ead92b1104132ed638897fca915c7e5c162.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1904

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/968-54-0x0000000000E60000-0x0000000000F5E000-memory.dmp

Filesize
1016KB

Download
memory/968-55-0x0000000076831000-0x0000000076833000-memory.dmp

Filesize
8KB

Download
memory/968-56-0x00000000002B0000-0x00000000002C8000-memory.dmp

Filesize
96KB

Download
memory/968-57-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/968-58-0x0000000004E40000-0x0000000004ED0000-memory.dmp

Filesize
576KB

Download
memory/968-59-0x0000000000CF0000-0x0000000000D24000-memory.dmp

Filesize
208KB

Download
memory/1904-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-64-0x000000000041F0F0-mapping.dmp

Download
memory/1904-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1904-65-0x0000000000880000-0x0000000000B83000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads