formbook | 3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0

Analysis

max time kernel
48s
max time network
53s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 19:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
Size

669KB
MD5

2f58636fbd887acd4fb3e8802d4c7fd8
SHA1

be18d7673ffa13ebefd0331a74b71851e70411da
SHA256

3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0
SHA512

671e62344766be4e12e007424b952dfe6abdf17176166f89c6e79c6c34e6c6a3b97a9454ad20464132cd80b8f61b5417ce66bb890c58a4e03a7f06f44ccb2637
SSDEEP

12288:GGcKa+E6SPtAcsrx2Q004g0owdvnleg/kXkKE2rBE6nuSxFoC:KKHLSFAcsd7jsHllL4r9Bxv

Score

10^/10

formbook thg rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

thg

Decoy

retrospectphotographydesign.com

jafodraws.com

cigiwie.space

upgradecarehealth.com

12ts.xyz

111indianbend.com

qqchbakery.com

0831xx.com

supecret.com

ayfadopple.com

coldwateradvisors.com

forexgiftcard.com

actionconsultingchile.com

mpsconcrete.net

carmallc.com

b167888.com

simonking.xyz

elitedigitalperformance.com

essentialjanitorialservices.com

barcosocasionberga.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/996-62-0x000000000041EAE0-mapping.dmp	formbook
behavioral1/memory/996-61-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

description	pid	process	target process
PID 1140 set thread context of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

pid process

996 3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

pid	process
996	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

description	pid	process	target process
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
PID 1140 wrote to memory of 996	1140	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe	3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe

C:\Users\Admin\AppData\Local\Temp\3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
"C:\Users\Admin\AppData\Local\Temp\3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1140

C:\Users\Admin\AppData\Local\Temp\3e8da4fa74ffde7264e854c958bbad0892813c261a525a5a6053c3bfd0e612c0.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:996

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-58-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/996-59-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/996-62-0x000000000041EAE0-mapping.dmp

Download
memory/996-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/996-63-0x0000000000850000-0x0000000000B53000-memory.dmp

Filesize
3.0MB

Download
memory/1140-54-0x0000000000350000-0x00000000003FC000-memory.dmp

Filesize
688KB

Download
memory/1140-55-0x0000000075091000-0x0000000075093000-memory.dmp

Filesize
8KB

Download
memory/1140-56-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1140-57-0x0000000004E70000-0x0000000004ECA000-memory.dmp

Filesize
360KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads