formbook | ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538

Analysis

max time kernel
121s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 15:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3b61d04e555f74f42e22c71a5885ac71.exe
Size

636KB
MD5

3b61d04e555f74f42e22c71a5885ac71
SHA1

9c774e98b87394627d311a552d8bde85d57b327c
SHA256

ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538
SHA512

f7363fa7857e791e6fd9320fba7c1d3927fd4c0aa6a7935a88ffabd747323f0e93d12a8f3c4be2625606e86c8f612e4271ef9ee41848d3bf2a8bdc4fed328f70
SSDEEP

12288:yucKpbKbf92TXwpL3sMcIobFB5BD8tVvkwkrscPA3QR+:yF4bKOORcIoxBDr1P/

Score

10^/10

formbook d94i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1804-64-0x000000000041F160-mapping.dmp	formbook
behavioral1/memory/1804-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

3b61d04e555f74f42e22c71a5885ac71.exe

description pid process target process

PID 1388 set thread context of 1804 1388 3b61d04e555f74f42e22c71a5885ac71.exe 3b61d04e555f74f42e22c71a5885ac71.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3b61d04e555f74f42e22c71a5885ac71.exe

pid process

1804 3b61d04e555f74f42e22c71a5885ac71.exe

description	pid	process	target process
PID 1388 set thread context of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe

pid	process
1804	3b61d04e555f74f42e22c71a5885ac71.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3b61d04e555f74f42e22c71a5885ac71.exe

description	pid	process	target process
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe
PID 1388 wrote to memory of 1804	1388	3b61d04e555f74f42e22c71a5885ac71.exe	3b61d04e555f74f42e22c71a5885ac71.exe

C:\Users\Admin\AppData\Local\Temp\3b61d04e555f74f42e22c71a5885ac71.exe
"C:\Users\Admin\AppData\Local\Temp\3b61d04e555f74f42e22c71a5885ac71.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1388

C:\Users\Admin\AppData\Local\Temp\3b61d04e555f74f42e22c71a5885ac71.exe
"C:\Users\Admin\AppData\Local\Temp\3b61d04e555f74f42e22c71a5885ac71.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1388-54-0x0000000000840000-0x00000000008E6000-memory.dmp

Filesize
664KB

Download
memory/1388-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1388-56-0x0000000000630000-0x0000000000646000-memory.dmp

Filesize
88KB

Download
memory/1388-57-0x0000000000640000-0x000000000064E000-memory.dmp

Filesize
56KB

Download
memory/1388-58-0x0000000004700000-0x0000000004770000-memory.dmp

Filesize
448KB

Download
memory/1388-59-0x0000000004100000-0x0000000004134000-memory.dmp

Filesize
208KB

Download
memory/1804-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-64-0x000000000041F160-mapping.dmp

Download
memory/1804-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1804-65-0x0000000000BC0000-0x0000000000EC3000-memory.dmp

Filesize
3.0MB

Download