formbook | 4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7

Analysis

max time kernel
229s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
Size

472KB
MD5

e7cc07a1704145c6843330345fd1ce0b
SHA1

6da282da7b2151eeb7da06b0ce8e1beb64e585a1
SHA256

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7
SHA512

45ed8bf0670a38dc090f766120e1e1612826a24434c39b6afacb04ed023fafd2561a53e2680917cb5fdcea8919bcc5c20af0e53eebaa181d186dc6b4eba01b6e
SSDEEP

12288:Yz2RENHa7bDjN3MyC2AzkfCpzGmZSgW+b3:Yzuw2N2pzGmq+b

Score

10^/10

formbook by rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.0

Campaign

Decoy

mozkuia.com

oyxezj.men

valuecodeconsultants.com

ivyleaguetraining.com

darqvam.run

izmirkadinsagligi.com

cvn8866.com

yourbigandgood4updates.review

cajienvios.com

promypages.info

trendsreverso.com

veganspoonfuls.info

p2ptexting.com

hdwmy.com

wmrobots.net

danstamos.com

rewardcarousel.com

esports-mindset.com

kccustodylawyer.com

longdingsz.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/692-56-0x0000000010000000-0x000000001007A000-memory.dmp	formbook

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1476 692 WerFault.exe 4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

pid process

692 4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

pid	pid_target	process	target process
1476	692	WerFault.exe	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

pid	process
692	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

description	pid	process	target process
PID 692 wrote to memory of 1476	692	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe
PID 692 wrote to memory of 1476	692	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe
PID 692 wrote to memory of 1476	692	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe
PID 692 wrote to memory of 1476	692	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
"C:\Users\Admin\AppData\Local\Temp\4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:692

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 692 -s 152
2⤵
- Program crash
PID:1476

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/692-54-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/692-56-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/692-57-0x0000000001F80000-0x0000000002283000-memory.dmp

Filesize
3.0MB

Download
memory/1476-55-0x0000000000000000-mapping.dmp

Download