formbook | ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
Size

793KB
MD5

726a5840b97555349f40590ea60d72d3
SHA1

5a701381a3c7cc84e1260d8a897d4bc6efab2767
SHA256

ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799
SHA512

90226ad99533e3671c8ea0c89bc791558b7004202ad24dc4cfcbfd8efe1e71077bae694d411c6653a63fbb903ae6b7fdbfa2276fa7232e04069535acf3b5039b
SSDEEP

12288:I0BshJaxmfBqNSJWfg2FP/mfVsleSjASHxSbWOIlSrWZmcZxopaFK:oJaxmbolFPWVQxSElQVt

Score

10^/10

formbook gbc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbc

Decoy

mountaindreamland.com

staticrbandd.com

estatesconstructionco.com

cover-kart.com

riverwayfarm.com

freshdiffuse.com

snkoy.com

itishreehandloom.com

lifespacebuilders.com

ladolcehouse.com

vthisat.com

howdo.support

fortrestpool.com

syndies.com

6e4h7dg0.com

taylorssc.net

shenzhenyunyang.com

technologies.email

newestps5games.com

thinkntyme.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2424-139-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

description	pid	process	target process
PID 4708 set thread context of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

pid	process
2424	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
2424	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

description	pid	process	target process
PID 4708 wrote to memory of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
PID 4708 wrote to memory of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
PID 4708 wrote to memory of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
PID 4708 wrote to memory of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
PID 4708 wrote to memory of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
PID 4708 wrote to memory of 2424	4708	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe	ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
"C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4708

C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
"C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2424

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2424-138-0x0000000000000000-mapping.dmp

Download
memory/2424-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2424-140-0x0000000001140000-0x000000000148A000-memory.dmp

Filesize
3.3MB

Download
memory/4708-132-0x0000000000780000-0x000000000084C000-memory.dmp

Filesize
816KB

Download
memory/4708-133-0x00000000050D0000-0x000000000516C000-memory.dmp

Filesize
624KB

Download
memory/4708-134-0x0000000005720000-0x0000000005CC4000-memory.dmp

Filesize
5.6MB

Download
memory/4708-135-0x0000000005170000-0x0000000005202000-memory.dmp

Filesize
584KB

Download
memory/4708-136-0x00000000050B0000-0x00000000050BA000-memory.dmp

Filesize
40KB

Download
memory/4708-137-0x0000000005390000-0x00000000053E6000-memory.dmp

Filesize
344KB

Download