formbook | 37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685

Analysis

max time kernel
145s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 13:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
Size

624KB
MD5

6da8891fb800ab69248ab7fb447e8636
SHA1

e0a985de3aca88960503d02c7d5fa23d4113282a
SHA256

37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685
SHA512

b5a41ed8aab351980bb2b1424570cd19acbee8fcbfd92ca97cc6019857ba50871f21658f970fee6113d1a0a0dfaef74bba96bacd858d85c100dbae942989ebae
SSDEEP

6144:4VZaHGMHjDpfw+FzNMbEj756dGK1YUT33Yz9fAOo/:4VcHGYNfwyp741YGW97o/

Score

10^/10

formbook di rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

baoxiaofan.com

bestwaycartage.com

sag-architecture.com

salamcanteen.com

clinicalpsychologistkerala.com

mttv222.com

theweproject.com

fybbracelets.net

vv666h.com

bangfupin.com

arkprojetos.com

realgoaldigger.com

pilotedphotography.com

6zonxm55.biz

gaoduanmi.com

aminahmad.com

bountymarketing.net

christopher-rennebach.com

02xjys.faith

estilomiau.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4108-135-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/4108-137-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

pid	process
4108	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
4108	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

pid process

1580 37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

pid	process
1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

description	pid	process	target process
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
PID 1580 wrote to memory of 4108	1580	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe	37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe

C:\Users\Admin\AppData\Local\Temp\37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
"C:\Users\Admin\AppData\Local\Temp\37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Users\Admin\AppData\Local\Temp\37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe
  "C:\Users\Admin\AppData\Local\Temp\37cc27217109c2599463baf39bb3adbe09382fd89f1403aaddedbf59343da685.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-134-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/1580-136-0x0000000002110000-0x0000000002116000-memory.dmp

Filesize
24KB

Download
memory/4108-135-0x0000000000000000-mapping.dmp

Download
memory/4108-137-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4108-138-0x0000000000AA0000-0x0000000000DEA000-memory.dmp

Filesize
3.3MB

Download