formbook | 8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876

Analysis

max time kernel
245s
max time network
335s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
Size

926KB
MD5

fbcb87e65d3a23b4fe229aeace34621f
SHA1

8139f123069e7e7632331779de8ed6d5031efcd1
SHA256

8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876
SHA512

1585b0c6b35bf4cb2c00b82079755e1c536d0a912c307fbbb2028e28b9f88d0cfd9272d459836b064a9893983dd25c1fba2aeeff25ab4ba50c9fd664ff25bd36
SSDEEP

12288:8UUq1vQWztAJchTCRjN1McME0s2BJOwxmGr5t:V17W2hTMN1tZ0s2BJOwxV

Score

10^/10

formbook awqu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

awqu

Decoy

soltwin24horas.com

kaiget.com

majalahlangitan.com

preventable.top

caronandtom.com

2222k06.com

hdrezkart54ff.net

supermessage.xyz

dezeenb.com

bestatakes.xyz

californiasportsbar.com

hxg66.xyz

localxgirl.online

educ-ability.com

b2breferralshop.online

miamicollisioncenter.com

bjcxqcdb.com

barrineauparkbees.com

robotics6.com

web-bastler.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1508-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1508-64-0x000000000041F140-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

description	pid	process	target process
PID 756 set thread context of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

pid process

1508 8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

pid	process
1508	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

description	pid	process	target process
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
PID 756 wrote to memory of 1508	756	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe	8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
"C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:756

C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
"C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/756-54-0x00000000011E0000-0x00000000012CE000-memory.dmp

Filesize
952KB

Download
memory/756-55-0x0000000074E61000-0x0000000074E63000-memory.dmp

Filesize
8KB

Download
memory/756-56-0x0000000000440000-0x000000000045A000-memory.dmp

Filesize
104KB

Download
memory/756-57-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/756-58-0x0000000005210000-0x000000000529E000-memory.dmp

Filesize
568KB

Download
memory/756-59-0x0000000001130000-0x0000000001164000-memory.dmp

Filesize
208KB

Download
memory/1508-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-64-0x000000000041F140-mapping.dmp

Download
memory/1508-65-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads