formbook | b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f

Analysis

max time kernel
208s
max time network
236s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
30-11-2022 19:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
Size

636KB
MD5

d7d2f2ecdb1920f275aef8d228bdff57
SHA1

01a1c36ff40f3c3ee8f3e668da6d1d0f4c33fcfc
SHA256

b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f
SHA512

596e488eb6f795ad1a65a3f66a97a9bff8fa8bd7f512a366c7da2fe5601fe10ed24c079eedd7c302b6e2fb71fe3cd3476ab1dc3a3d884aeaaa25f3e9296fca1c
SSDEEP

6144:nzlmhhPnpn8XMxRWZUV7H+zvLCLSxnUXqAx:zghhP9IM/bV7ePcgmf

Score

10^/10

formbook di rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

baoxiaofan.com

bestwaycartage.com

sag-architecture.com

salamcanteen.com

clinicalpsychologistkerala.com

mttv222.com

theweproject.com

fybbracelets.net

vv666h.com

bangfupin.com

arkprojetos.com

realgoaldigger.com

pilotedphotography.com

6zonxm55.biz

gaoduanmi.com

aminahmad.com

bountymarketing.net

christopher-rennebach.com

02xjys.faith

estilomiau.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1196-136-0x0000000000000000-mapping.dmp	formbook
behavioral2/memory/1196-138-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

pid	process
1196	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
1196	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

pid process

1352 b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

pid	process
1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

description	pid	process	target process
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
PID 1352 wrote to memory of 1196	1352	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe	b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe

C:\Users\Admin\AppData\Local\Temp\b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
"C:\Users\Admin\AppData\Local\Temp\b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1352

C:\Users\Admin\AppData\Local\Temp\b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe
"C:\Users\Admin\AppData\Local\Temp\b9dea66719022448c18b4eb0ad45dea4ba4e1f5d58e7ce9b3a1ce7882429d02f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1196

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-136-0x0000000000000000-mapping.dmp

Download
memory/1196-138-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/1196-139-0x0000000000AC0000-0x0000000000E0A000-memory.dmp

Filesize
3.3MB

Download
memory/1352-135-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download
memory/1352-137-0x0000000002240000-0x0000000002246000-memory.dmp

Filesize
24KB

Download