formbook | b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1

Analysis

max time kernel
91s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
20/12/2022, 02:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe
Size

608KB
MD5

9d07f99187d4dec0f64396ca8a76d5b8
SHA1

1538c9e430041eceecf0d12c210ff8871b9ca67c
SHA256

b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1
SHA512

df0d8888e3c2e9fed88676882bde8a51231fc6f8e19e45c9d0ade2a12250d4575ac44520f43363b85000148ca2e9401074a2fc07d2dd169400ae0ef2212df29c
SSDEEP

12288:sBMPrfQL69T/gVdnKkCaHDGjl+F2Owm84wpKziRechzf3NWWI2t2M:LtgVBK2jGjl+F2TqwpKz1CzPNWy

Score

10^/10

formbook b47h rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b47h

Decoy

whistleblow-now.com

14live-msa.one

yenitedarikciniz.xyz

marmargoods.com

full-funs.com

saoraigne.com

noemiaguesthouse.space

datatobe.community

sollight.net

wavestudios.pro

freeorama.com

fasinixiaoribenguizi032.com

mariajaq.com

hyper.vote

aedin.dev

docind.com

zhulinx.com

estairon.best

mlnphotography.art

1948ardithdr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/3028-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3152 set thread context of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3028	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe
3028	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91
PID 3152 wrote to memory of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91
PID 3152 wrote to memory of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91
PID 3152 wrote to memory of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91
PID 3152 wrote to memory of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91
PID 3152 wrote to memory of 3028	3152	b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe	91

C:\Users\Admin\AppData\Local\Temp\b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe
"C:\Users\Admin\AppData\Local\Temp\b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Users\Admin\AppData\Local\Temp\b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe
  "C:\Users\Admin\AppData\Local\Temp\b3a41dea7c4e14a4f0dbce7c76229121c97bcc0950ce35e59c27ca2cbe6b28a1.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3028

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3028-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3028-139-0x0000000001120000-0x000000000146A000-memory.dmp

Filesize
3.3MB

Download
memory/3152-132-0x00000000001C0000-0x000000000025C000-memory.dmp

Filesize
624KB

Download
memory/3152-133-0x0000000005250000-0x00000000057F4000-memory.dmp

Filesize
5.6MB

Download
memory/3152-134-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/3152-135-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

Filesize
40KB

Download
memory/3152-136-0x00000000075E0000-0x000000000767C000-memory.dmp

Filesize
624KB

Download