formbook | 4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 18:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
Size

472KB
MD5

e7cc07a1704145c6843330345fd1ce0b
SHA1

6da282da7b2151eeb7da06b0ce8e1beb64e585a1
SHA256

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7
SHA512

45ed8bf0670a38dc090f766120e1e1612826a24434c39b6afacb04ed023fafd2561a53e2680917cb5fdcea8919bcc5c20af0e53eebaa181d186dc6b4eba01b6e
SSDEEP

12288:Yz2RENHa7bDjN3MyC2AzkfCpzGmZSgW+b3:Yzuw2N2pzGmq+b

Score

10^/10

formbook by rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.0

Campaign

Decoy

mozkuia.com

oyxezj.men

valuecodeconsultants.com

ivyleaguetraining.com

darqvam.run

izmirkadinsagligi.com

cvn8866.com

yourbigandgood4updates.review

cajienvios.com

promypages.info

trendsreverso.com

veganspoonfuls.info

p2ptexting.com

hdwmy.com

wmrobots.net

danstamos.com

rewardcarousel.com

esports-mindset.com

kccustodylawyer.com

longdingsz.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2816-132-0x0000000010000000-0x000000001007A000-memory.dmp	formbook

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
5052	2816	WerFault.exe	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
3820	2816	WerFault.exe	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

pid	process
2816	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
2816	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe

description	pid	process	target process
PID 2816 wrote to memory of 5052	2816	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe
PID 2816 wrote to memory of 5052	2816	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe
PID 2816 wrote to memory of 5052	2816	4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe	WerFault.exe

C:\Users\Admin\AppData\Local\Temp\4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe
"C:\Users\Admin\AppData\Local\Temp\4aa789cf7c10418cc7ae60d4f2f5e0879521d6fe6d00d381df103156b4d4c1d7.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2816

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 424
2⤵
- Program crash
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2816 -s 424
2⤵
- Program crash
PID:3820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2816 -ip 2816
1⤵
PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-132-0x0000000010000000-0x000000001007A000-memory.dmp

Filesize
488KB

Download
memory/2816-133-0x0000000002590000-0x00000000028DA000-memory.dmp

Filesize
3.3MB

Download
memory/5052-134-0x0000000000000000-mapping.dmp

Download