formbook | ab380ec497114c124eaabbb96f643cb20dfb24d0618be4934c19c4062f82fa71

Analysis

max time kernel
112s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/10/2022, 06:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c1d74ec41c57e24503bb5f05117a0215.exe
Size

873KB
MD5

c1d74ec41c57e24503bb5f05117a0215
SHA1

47bd6a606edd6229962526f5488c5c8635acc50e
SHA256

ab380ec497114c124eaabbb96f643cb20dfb24d0618be4934c19c4062f82fa71
SHA512

43ab24a193c2c5698c4a6d5fb6122f29204109dd608c1bd936be5104f2da29d3996cfdf6b20cbfc2d83559f0b2691f6f6dd9d098fc0ef4710b0e0b5997249bbf
SSDEEP

12288:Rqh702iNpEmR/B4C0UW6Tggk3PuhB4QJP1vwY1LFUFWs8JTEc72d/DW7UKt:d1BWU7ggnhfrvwY15UIDhAg

Score

10^/10

formbook hn73 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hn73

Decoy

medusaams.com

ekyas.com

deadandcompanyindianapolis.net

winnersclub.live

gozero.buzz

sdmfeh.xyz

rikfiri.com

happyworld.tech

oculusquest2linkcable.com

cksexdoll.top

aitechconsulting.net

prstampsevery.shop

kioskdz.com

fogg.productions

7gu7x5mc.com

thefactoryco.com

dvsmanpowerenterprises.com

dreamwins5.com

bgs-abogados.com

arthursouza.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4032-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2124 set thread context of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4032	c1d74ec41c57e24503bb5f05117a0215.exe
4032	c1d74ec41c57e24503bb5f05117a0215.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91
PID 2124 wrote to memory of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91
PID 2124 wrote to memory of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91
PID 2124 wrote to memory of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91
PID 2124 wrote to memory of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91
PID 2124 wrote to memory of 4032	2124	c1d74ec41c57e24503bb5f05117a0215.exe	91

C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe
"C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe
  "C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2124-132-0x00000000002F0000-0x00000000003D0000-memory.dmp

Filesize
896KB

Download
memory/2124-133-0x0000000005360000-0x0000000005904000-memory.dmp

Filesize
5.6MB

Download
memory/2124-134-0x0000000004DB0000-0x0000000004E42000-memory.dmp

Filesize
584KB

Download
memory/2124-135-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/2124-136-0x0000000007280000-0x000000000731C000-memory.dmp

Filesize
624KB

Download
memory/4032-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4032-139-0x00000000013A0000-0x00000000016EA000-memory.dmp

Filesize
3.3MB

Download