formbook | 3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93

Analysis

max time kernel
180s
max time network
213s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
08-12-2022 03:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
Size

936KB
MD5

45de11e238928df8cf415f31abb63e4a
SHA1

a123fee9e91c4b2c5eeefc3493ec22b91961d95e
SHA256

3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93
SHA512

42b9ab2c2dd4710abfb7f88a01fd3630834004881f5ff28e7cdd44e79ebdd3d77fde66fc1a92b4afed840801c7228472e173b345b07ac46212565d79e6a7fa6c
SSDEEP

24576:dr1DtT3FOy+b4lROUhwSz80jcIwqR+LBI:drvLFOS/hc0QIwqRuB

Score

10^/10

formbook vr84 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

vr84

Decoy

intouchenergy.co.uk

lalumalkaliram.com

hillgreenholidays.co.uk

fluentliteracy.com

buildingworkerpower.com

by23577.com

gate-ch375019.online

jayess-decor.com

larkslife.com

swsnacks.co.uk

bigturtletiny.com

egggge.xyz

olastore.africa

lightshowsnewengland.com

daily-lox.com

empireoba.com

91302events.com

lawrencecountyfirechiefs.com

abrahamslibrary.com

cleaner365.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4492-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe

description	pid	process	target process
PID 5048 set thread context of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe

pid	process
4492	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
4492	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe

description	pid	process	target process
PID 5048 wrote to memory of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
PID 5048 wrote to memory of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
PID 5048 wrote to memory of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
PID 5048 wrote to memory of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
PID 5048 wrote to memory of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
PID 5048 wrote to memory of 4492	5048	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe	3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe

C:\Users\Admin\AppData\Local\Temp\3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
"C:\Users\Admin\AppData\Local\Temp\3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048

C:\Users\Admin\AppData\Local\Temp\3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe
"C:\Users\Admin\AppData\Local\Temp\3375a85f28c1c6c7da5ae9684bb5538230e0a186c83dae7377b2a04083de9b93.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4492-137-0x0000000000000000-mapping.dmp

Download
memory/4492-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4492-139-0x0000000000F40000-0x000000000128A000-memory.dmp

Filesize
3.3MB

Download
memory/5048-132-0x0000000000730000-0x0000000000820000-memory.dmp

Filesize
960KB

Download
memory/5048-133-0x0000000005890000-0x0000000005E34000-memory.dmp

Filesize
5.6MB

Download
memory/5048-134-0x00000000051A0000-0x0000000005232000-memory.dmp

Filesize
584KB

Download
memory/5048-135-0x00000000052E0000-0x00000000052EA000-memory.dmp

Filesize
40KB

Download
memory/5048-136-0x00000000053B0000-0x000000000544C000-memory.dmp

Filesize
624KB

Download