formbook | 651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0

Analysis

max time kernel
196s
max time network
207s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 13:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
Size

697KB
MD5

5e14c731e0b4f67493b838262b7364cb
SHA1

47437d61e5e025ae8e6f7d4a6172edeead8e29c1
SHA256

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0
SHA512

65a8ee82d4f4ec9a9f3574ab5a603ffd08ee028865fa67b09c62e36b4c83f500ae1c376b43a55265760879a8b057f7f47e75651c8076523f85e315af1de078ee
SSDEEP

12288:+4Vgh/PsZ1DX/VDJI6J8TOmb0PIL1gHH4WfgLO5zsJr:BVgh/PU8/QPhHY5O5QJr

Score

10^/10

formbook g28p rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g28p

Decoy

whhmgs.asia

wellmedcaredirect.net

beggarded.com

wtpjiv.site

todo-celulares.com

parkitny.net

43345.top

pro-genie.com

cwdxz.com

cbc-inc.xyz

healthspots.net

rulil.top

pyramidaudit.solutions

k8sb15.live

hempaware.report

usclink.life

stayefs.net

05262.top

shop-izakaya-jin.com

iccworldcupnews.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4488-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

description	pid	process	target process
PID 3844 set thread context of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

pid	process
4488	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
4488	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

description	pid	process	target process
PID 3844 wrote to memory of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 3844 wrote to memory of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 3844 wrote to memory of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 3844 wrote to memory of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 3844 wrote to memory of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
PID 3844 wrote to memory of 4488	3844	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe	651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe

C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
"C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe
  "C:\Users\Admin\AppData\Local\Temp\651404e566b5d65563d62eeca4c89c4b1ae3ed40fb440819b233f576c91d1cc0.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3844-132-0x00000000009E0000-0x0000000000A94000-memory.dmp

Filesize
720KB

Download
memory/3844-133-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/3844-134-0x0000000005360000-0x00000000053F2000-memory.dmp

Filesize
584KB

Download
memory/3844-135-0x0000000005300000-0x000000000530A000-memory.dmp

Filesize
40KB

Download
memory/3844-136-0x0000000007620000-0x00000000076BC000-memory.dmp

Filesize
624KB

Download
memory/4488-137-0x0000000000000000-mapping.dmp

Download
memory/4488-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4488-139-0x0000000001280000-0x00000000015CA000-memory.dmp

Filesize
3.3MB

Download