formbook | a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e

Analysis

max time kernel
140s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
Size

1.6MB
MD5

38686818a4717da90e4d7b382bc4bc47
SHA1

b82a60c2648a68e22148e1171e8afc546be1489b
SHA256

a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e
SHA512

916a7327c5e24a9f685e2f4e6c180a4ed38f7be31ef848f2b197cf4549e1acd5f1955459ceb6fbdbb0f0cebea44df9c447d462f36eaafc6580644a6ab0c4274e
SSDEEP

12288:jdPcrxdJjY7iuUxQUNvi9tHeV6tEujmjRPTjRPyjBjjijBjBjBjBjLjgzOLT6f7d:jdkdQ4QUitHC6q41EAD2EmX6wW

Score

10^/10

formbook gbr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbr

Decoy

serabet.com

galanggroup.com

zweitmeinung-urologie.com

damsalon.com

binliwine.com

lifeladderindia.com

flyingwranchmanagement.com

tripsandturns.com

3headdesign.com

aluminumfacade.com

toprestau.com

facetreatspa.com

periodrescuekit.com

dbaojian.com

altinotokurtarma.com

gkpelle.com

loguslife.com

treatse.com

lghglzcnkx.net

jawharabh.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/992-61-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/992-62-0x000000000041EB10-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

description	pid	process	target process
PID 1388 set thread context of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

pid process

992 a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

pid	process
992	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

description	pid	process	target process
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
PID 1388 wrote to memory of 992	1388	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe	a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe

C:\Users\Admin\AppData\Local\Temp\a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
"C:\Users\Admin\AppData\Local\Temp\a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe
"C:\Users\Admin\AppData\Local\Temp\a5f80157e87e9b1d0d1b501fe555b248e14763b63bdb63d6e3e147d98b20668e.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:992

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
1⤵
PID:760

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/992-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/992-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/992-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/992-62-0x000000000041EB10-mapping.dmp

Download
memory/992-63-0x0000000000860000-0x0000000000B63000-memory.dmp

Filesize
3.0MB

Download
memory/1388-54-0x0000000000EC0000-0x0000000001068000-memory.dmp

Filesize
1.7MB

Download
memory/1388-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x0000000000550000-0x000000000055A000-memory.dmp

Filesize
40KB

Download
memory/1388-57-0x0000000004C50000-0x0000000004CAC000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads