formbook | 6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1

Analysis

max time kernel
42s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
Size

340KB
MD5

b6a71f32c73d5392dc3dcf5ebfd9f11a
SHA1

82af158a9984597cfb71570ff87f52421e1b0d2c
SHA256

6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1
SHA512

aa6b1bc9ff70689c0740683c0858a48b348c4d9f018c3ca11745dcb74480efb89b89dc002159576cd0c461ff9b2de320729a3a40f984a83a8698a4e99d4f959b
SSDEEP

6144:D3yaVwC1pYMTJCTmjd3M3YqUoqNgtDK5BGN1BOpF1d8EWkFRTlV1erRSaYv0P3:bVwMmgJEmjd4/UoqNggDGNaFGEWO1edH

Score

10^/10

formbook c239 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

c239

Decoy

shareourjesus.com

lavictoriaesdetodos.com

helpfulproductions.com

waggonerplastics.com

skipouya.com

everyoneshoroscope.com

winterstokeview.com

gutsyhomemakers.com

redstatesdigital.com

themacmeliusshow.com

beautybarnantucket.com

wearetwo-a.com

thenutritionessentialist.com

tapsiwadhwa.com

jundicompany.net

gobocawest.com

woodking.space

elegantap.com

2ndoss.info

ebay1111.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 3 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/608-55-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/608-56-0x000000000041EAF0-mapping.dmp	formbook
behavioral1/memory/1280-58-0x00000000001B0000-0x00000000001DF000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

description	pid	process	target process
PID 1280 set thread context of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

pid process

608 6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

pid	process
608	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

description	pid	process	target process
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
PID 1280 wrote to memory of 608	1280	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe	6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe

C:\Users\Admin\AppData\Local\Temp\6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
"C:\Users\Admin\AppData\Local\Temp\6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1280

C:\Users\Admin\AppData\Local\Temp\6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe
"C:\Users\Admin\AppData\Local\Temp\6695ad2b11cf12fe057273b08f07f9020916cb68a2803206ecc31f61b9f6b7f1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:608

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/608-55-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/608-56-0x000000000041EAF0-mapping.dmp

Download
memory/608-59-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1280-54-0x0000000000308000-0x000000000032D000-memory.dmp

Filesize
148KB

Download
memory/1280-57-0x0000000000308000-0x000000000032D000-memory.dmp

Filesize
148KB

Download
memory/1280-58-0x00000000001B0000-0x00000000001DF000-memory.dmp

Filesize
188KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads