formbook | 5072-139-0x0000000000400000-0x000000000042F000-memory[.]dmp

General

Target

5072-139-0x0000000000400000-0x000000000042F000-memory.dmp
Size

188KB
MD5

43d124ec8283ca6af75004937a118a93
SHA1

337539f8da1946d1fe14e58d8ace3ff086dc1c48
SHA256

43eaf3e4061b870741f8ab9e6a68c71222afead7efab9281414b740356fc4410
SHA512

815f3122e23ea3b4ad779cef6b8f6fe489d3f9c13e55d299769ca2de1f84a794b71f696eee85dcc88c3503ec27974cfdb7474eaa5b8d24a42875782dd350e3c0
SSDEEP

3072:5asfEjw2zh7nNQ3mPNIiLjB2a8y0JibrB7YlTFswZnr+DmJbL:PxiNemFIS0a8y0aBclKwZyDmf

Score

10^/10

rat lh24 formbook

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

lh24

Decoy

50spage.com

acesalamo.xyz

magicair.org.uk

jrroyalps.com

hohot.xyz

affichecrea.com

2048xtw.net

atlas-pars.com

cqxjbz.com

180bingxue.com

coupdechacal.com

k00050.com

twin-vitro.net

haverninstitute.com

espada-japonesa.com

launchcu.info

discountauto.club

8o7eventhebrand.com

fishersmarinaandcampground.com

crystalfloodplain.com

Signatures

Formbook family
formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

sample formbook

resource	yara_rule
sample	formbook

Files

5072-139-0x0000000000400000-0x000000000042F000-memory.dmp
.exe windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 180KB - Virtual size: 180KB

.text
Size: 180KB - Virtual size: 180KB