formbook | ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5

Analysis

max time kernel
133s
max time network
165s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 03:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
Size

860KB
MD5

75cdfaec4d70a869f819702c2a553048
SHA1

f720990a2ba4fdce268d923d464489a57cab9978
SHA256

ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5
SHA512

4548cc1e2713f9b87ca0a0b05ca6b4315e2825d4d02f49a3f1a55227899d33a5845adf0438febaddc797a6d5c2297c53002104fc7f2313de1443e035e37cfc68
SSDEEP

24576:s35LjrZx3bwurBhQbxa1Q+SDkzR9FskHFt:s3drZx3bwurBhQbxa1lzhHFt

Score

10^/10

formbook dv22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2284-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe

description	pid	process	target process
PID 3160 set thread context of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe

pid	process
2284	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
2284	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe

description	pid	process	target process
PID 3160 wrote to memory of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
PID 3160 wrote to memory of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
PID 3160 wrote to memory of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
PID 3160 wrote to memory of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
PID 3160 wrote to memory of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
PID 3160 wrote to memory of 2284	3160	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe	ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe

C:\Users\Admin\AppData\Local\Temp\ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
"C:\Users\Admin\AppData\Local\Temp\ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3160

C:\Users\Admin\AppData\Local\Temp\ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe
"C:\Users\Admin\AppData\Local\Temp\ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2284-137-0x0000000000000000-mapping.dmp

Download
memory/2284-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2284-139-0x0000000001720000-0x0000000001A6A000-memory.dmp

Filesize
3.3MB

Download
memory/3160-132-0x0000000000170000-0x000000000024E000-memory.dmp

Filesize
888KB

Download
memory/3160-133-0x0000000005260000-0x0000000005804000-memory.dmp

Filesize
5.6MB

Download
memory/3160-134-0x0000000004BD0000-0x0000000004C62000-memory.dmp

Filesize
584KB

Download
memory/3160-135-0x0000000004E10000-0x0000000004E1A000-memory.dmp

Filesize
40KB

Download
memory/3160-136-0x0000000005110000-0x00000000051AC000-memory.dmp

Filesize
624KB

Download