formbook | ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5

Analysis

max time kernel
95s
max time network
32s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

75cdfaec4d70a869f819702c2a553048.exe
Size

860KB
MD5

75cdfaec4d70a869f819702c2a553048
SHA1

f720990a2ba4fdce268d923d464489a57cab9978
SHA256

ddaf9934762825fb0168b9c861d81cbc664ee2248c912e0ed8bd980289577ee5
SHA512

4548cc1e2713f9b87ca0a0b05ca6b4315e2825d4d02f49a3f1a55227899d33a5845adf0438febaddc797a6d5c2297c53002104fc7f2313de1443e035e37cfc68
SSDEEP

24576:s35LjrZx3bwurBhQbxa1Q+SDkzR9FskHFt:s3drZx3bwurBhQbxa1lzhHFt

Score

10^/10

formbook dv22 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/336-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/336-64-0x000000000041F140-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

75cdfaec4d70a869f819702c2a553048.exe

description pid process target process

PID 972 set thread context of 336 972 75cdfaec4d70a869f819702c2a553048.exe 75cdfaec4d70a869f819702c2a553048.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

75cdfaec4d70a869f819702c2a553048.exe

pid process

336 75cdfaec4d70a869f819702c2a553048.exe

description	pid	process	target process
PID 972 set thread context of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe

pid	process
336	75cdfaec4d70a869f819702c2a553048.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

75cdfaec4d70a869f819702c2a553048.exe

description	pid	process	target process
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe
PID 972 wrote to memory of 336	972	75cdfaec4d70a869f819702c2a553048.exe	75cdfaec4d70a869f819702c2a553048.exe

C:\Users\Admin\AppData\Local\Temp\75cdfaec4d70a869f819702c2a553048.exe
"C:\Users\Admin\AppData\Local\Temp\75cdfaec4d70a869f819702c2a553048.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:972
- C:\Users\Admin\AppData\Local\Temp\75cdfaec4d70a869f819702c2a553048.exe
  "C:\Users\Admin\AppData\Local\Temp\75cdfaec4d70a869f819702c2a553048.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:336

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/336-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/336-64-0x000000000041F140-mapping.dmp

Download
memory/336-65-0x00000000008F0000-0x0000000000BF3000-memory.dmp

Filesize
3.0MB

Download
memory/972-54-0x0000000000F80000-0x000000000105E000-memory.dmp

Filesize
888KB

Download
memory/972-55-0x0000000074D81000-0x0000000074D83000-memory.dmp

Filesize
8KB

Download
memory/972-56-0x00000000004A0000-0x00000000004B6000-memory.dmp

Filesize
88KB

Download
memory/972-57-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/972-58-0x0000000005D40000-0x0000000005DD2000-memory.dmp

Filesize
584KB

Download
memory/972-59-0x0000000004780000-0x00000000047D8000-memory.dmp

Filesize
352KB

Download