formbook | 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1

Analysis

max time kernel
36s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
Size

2.5MB
MD5

3b2839138c381fe2901d2daa9290b462
SHA1

4ccb206f3f9be21d42c588be9a65417da11706fe
SHA256

10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1
SHA512

2c171f522f9721003fd98e0f718152338e27475dda29f635484c36b6a8e69a74a21e00e26d7c0c106b2651069d8bf8b0f0fc23e2a4dc905a751a1cfc7f3e6113
SSDEEP

49152:WtoZ0ajbQzlq5O+l4QOnn8jeX+l8uvlhfNf5lWLPNyeL9+hw/USGy7Xk/51HwgGh:W6X0zlC6mc98IQ1a7

Score

10^/10

formbook u3q rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u3q

Decoy

wingenomics.com

malwaredeepdive.com

uvdxkup.icu

safeweb-url624.com

lighthousetan.com

liumeilin.com

thaiexpressnyc.com

primedperspective.com

georgekwalker.com

purelife-gt.com

theboseproject.com

moralalaska.icu

anthonysoflittleitaly.com

talahadavi.com

waterbrooksacademy.com

aluneaproaieauayauwpalaua.com

mytshirtforlife.com

penerbitlayung.com

chainslugs.com

bhbgsc.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Beds Protector Packer 1 IoCs

Detects Beds Protector packer used to load .NET malware.

Processes:

resource	yara_rule
behavioral1/memory/1880-56-0x00000000052F0000-0x000000000555E000-memory.dmp	beds_protector

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1176-62-0x000000000041EB70-mapping.dmp	formbook
behavioral1/memory/1176-61-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

description	pid	process	target process
PID 1880 set thread context of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

pid process

1176 10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

pid	process
1176	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

description	pid	process	target process
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
PID 1880 wrote to memory of 1176	1880	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe	10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe

C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
"C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe
"C:\Users\Admin\AppData\Local\Temp\10bd3380601961166b5df308a6927cd6f50a4ab258e60f2aef93292e756d7aa1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1176-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1176-62-0x000000000041EB70-mapping.dmp

Download
memory/1176-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1176-63-0x0000000000830000-0x0000000000B33000-memory.dmp

Filesize
3.0MB

Download
memory/1880-54-0x0000000000CA0000-0x0000000000F32000-memory.dmp

Filesize
2.6MB

Download
memory/1880-55-0x0000000075201000-0x0000000075203000-memory.dmp

Filesize
8KB

Download
memory/1880-56-0x00000000052F0000-0x000000000555E000-memory.dmp

Filesize
2.4MB

Download
memory/1880-57-0x0000000000320000-0x0000000000336000-memory.dmp

Filesize
88KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads