formbook | 651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0

Analysis

max time kernel
46s
max time network
47s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
Size

697KB
MD5

5e14c731e0b4f67493b838262b7364cb
SHA1

47437d61e5e025ae8e6f7d4a6172edeead8e29c1
SHA256

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0
SHA512

65a8ee82d4f4ec9a9f3574ab5a603ffd08ee028865fa67b09c62e36b4c83f500ae1c376b43a55265760879a8b057f7f47e75651c8076523f85e315af1de078ee
SSDEEP

12288:+4Vgh/PsZ1DX/VDJI6J8TOmb0PIL1gHH4WfgLO5zsJr:BVgh/PU8/QPhHY5O5QJr

Score

10^/10

formbook g28p rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1148-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1148-64-0x000000000041F100-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

description	pid	process	target process
PID 1740 set thread context of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

pid process

1148 651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

pid	process
1148	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

description	pid	process	target process
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 1740 wrote to memory of 1148	1740	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
"C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1740

C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
"C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1148

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1148-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1148-64-0x000000000041F100-mapping.dmp

Download
memory/1148-65-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1740-54-0x0000000000990000-0x0000000000A44000-memory.dmp

Filesize
720KB

Download
memory/1740-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/1740-56-0x00000000004F0000-0x0000000000508000-memory.dmp

Filesize
96KB

Download
memory/1740-57-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/1740-58-0x00000000055B0000-0x0000000005620000-memory.dmp

Filesize
448KB

Download
memory/1740-59-0x0000000004280000-0x00000000042B4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads