formbook | 6a8b8d64cdbdd6d21a4c56e47929c8dee133615149ef899342842fbbe910c2fa

Analysis

max time kernel
107s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2022 04:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7522af8f62b472e0fd325102ec12624.exe
Size

1.0MB
MD5

d7522af8f62b472e0fd325102ec12624
SHA1

04470c6f012a16ada80839931be700ee4421e8d0
SHA256

6a8b8d64cdbdd6d21a4c56e47929c8dee133615149ef899342842fbbe910c2fa
SHA512

0b53d1660aed71d912d418522f43d526ba1c4556900805e9ab50e096282621163bcff6e3de7e2a2e0e9a1cff6a7143cedb0a4df8a2216cc704441b6a9fb05db7
SSDEEP

12288:LZ+2iN1/Sr+pYH8c+9eG8zYJDkrL+oQ1+vJoKWFcVBYt+zAf+mDXttarruVBDUJ1:A1e+YH80G8zYJDkrLTQ8qKWFQ3zp

Score

10^/10

formbook b47h rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b47h

Decoy

whistleblow-now.com

14live-msa.one

yenitedarikciniz.xyz

marmargoods.com

full-funs.com

saoraigne.com

noemiaguesthouse.space

datatobe.community

sollight.net

wavestudios.pro

freeorama.com

fasinixiaoribenguizi032.com

mariajaq.com

hyper.vote

aedin.dev

docind.com

zhulinx.com

estairon.best

mlnphotography.art

1948ardithdr.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2280-138-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 792 set thread context of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2280	d7522af8f62b472e0fd325102ec12624.exe
2280	d7522af8f62b472e0fd325102ec12624.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 792 wrote to memory of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93
PID 792 wrote to memory of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93
PID 792 wrote to memory of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93
PID 792 wrote to memory of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93
PID 792 wrote to memory of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93
PID 792 wrote to memory of 2280	792	d7522af8f62b472e0fd325102ec12624.exe	93

C:\Users\Admin\AppData\Local\Temp\d7522af8f62b472e0fd325102ec12624.exe
"C:\Users\Admin\AppData\Local\Temp\d7522af8f62b472e0fd325102ec12624.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:792
- C:\Users\Admin\AppData\Local\Temp\d7522af8f62b472e0fd325102ec12624.exe
  "C:\Users\Admin\AppData\Local\Temp\d7522af8f62b472e0fd325102ec12624.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2280

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/792-132-0x0000000000D50000-0x0000000000E56000-memory.dmp

Filesize
1.0MB

Download
memory/792-133-0x0000000005E00000-0x00000000063A4000-memory.dmp

Filesize
5.6MB

Download
memory/792-134-0x0000000005850000-0x00000000058E2000-memory.dmp

Filesize
584KB

Download
memory/792-135-0x0000000005800000-0x000000000580A000-memory.dmp

Filesize
40KB

Download
memory/792-136-0x00000000082C0000-0x000000000835C000-memory.dmp

Filesize
624KB

Download
memory/2280-138-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2280-139-0x00000000016E0000-0x0000000001A2A000-memory.dmp

Filesize
3.3MB

Download