formbook | c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda

Analysis

max time kernel
148s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 13:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
Size

807KB
MD5

458132ead8d6b28dc153956a514a2c27
SHA1

434f76cc3ac8fa7f36e1e4c87944eb6036affd3b
SHA256

c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda
SHA512

3b9d708da96e5ba98bbd7c2b606ef41863928c02c682d604a9f6b76fcad8281ca3e8216a9799d2e6d1c6c514800e1d4f536899c31223a3f205b9cb475ae1fe49
SSDEEP

24576:vr18+L74mBfNUstzokjSU4mpfT6Cm3r8JN:vrEU4mpmCmI

Score

10^/10

formbook g25e rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g25e

Decoy

2491254125.xyz

hookd.gay

uxmelange.com

startupvision3.com

evanwoosley-reed.com

uspalupdser.info

lx0599.com

grupoiaez.com

londonpapershop.com

cremas.store

risespec.com

olivierverdoyant.com

creatednow.com

epicureanhometreats.com

iqijp.com

vcraftboutique.com

furnaristudios.com

dealsgolf.com

djwoojs.com

boatslave.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1796-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1796-64-0x000000000041F090-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

description	pid	process	target process
PID 2044 set thread context of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

pid process

1796 c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

pid	process
1796	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

description	pid	process	target process
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
PID 2044 wrote to memory of 1796	2044	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe	c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe

C:\Users\Admin\AppData\Local\Temp\c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
"C:\Users\Admin\AppData\Local\Temp\c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Users\Admin\AppData\Local\Temp\c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe
  "C:\Users\Admin\AppData\Local\Temp\c8702255a89a489a0e9dbad263a8f491038191c78a20f6cf57429af09b2c2dda.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1796-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-64-0x000000000041F090-mapping.dmp

Download
memory/1796-65-0x00000000009E0000-0x0000000000CE3000-memory.dmp

Filesize
3.0MB

Download
memory/2044-54-0x0000000001330000-0x0000000001400000-memory.dmp

Filesize
832KB

Download
memory/2044-55-0x0000000075F81000-0x0000000075F83000-memory.dmp

Filesize
8KB

Download
memory/2044-56-0x00000000004C0000-0x00000000004D8000-memory.dmp

Filesize
96KB

Download
memory/2044-57-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2044-58-0x0000000004E70000-0x0000000004EE0000-memory.dmp

Filesize
448KB

Download
memory/2044-59-0x0000000000B50000-0x0000000000B84000-memory.dmp

Filesize
208KB

Download