formbook | fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71

Resubmissions

30/12/2022, 03:53

221230-efty4aab7y 10

29/12/2022, 16:16

221229-tqsaksdd99 10

Analysis

max time kernel
91s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
30/12/2022, 03:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe
Size

840KB
MD5

837fd128d246ccb07647515dd273f4f9
SHA1

8fa22f3f426216aa7f1301d127582aa7434c9d4b
SHA256

fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71
SHA512

19f668b337f08ce16e831fe811876edf632d9e5c06b3d311bd9c7057c480fbe3ba2fc1c9d446cba4b755d375dff7bdbcd80224223b79204ce7324de19fd665c1
SSDEEP

12288:UZ/fiJLRc2evo2Ursov0KT4zHsyYgH/PT134slbbHl2qPVGNbTuMuKBD7hpvA/N:JAo/s7HsynTB4ATST0sDdIN

Score

10^/10

formbook et2d rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

et2d

Decoy

wcaconline.com

travelbackpackss.com

ao-m-nishinomiya.com

tilania.com

vegbydesign.net

mybabysisterscloset.com

sanctitude-cuspidated.com

russtybeats.com

dichvubangchuan.com

su-seikatu.info

eratosantorini.com

ninetofivemama.com

delishany.com

pawchamamapet.net

nissicloud.com

strictlyotaku.net

kissmanga.pro

appalachianfx.com

aralending.com

forbrighterlife.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3648-139-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 904 set thread context of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe
3648	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe
3648	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 904 wrote to memory of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86
PID 904 wrote to memory of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86
PID 904 wrote to memory of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86
PID 904 wrote to memory of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86
PID 904 wrote to memory of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86
PID 904 wrote to memory of 3648	904	fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe	86

C:\Users\Admin\AppData\Local\Temp\fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe
"C:\Users\Admin\AppData\Local\Temp\fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:904
- C:\Users\Admin\AppData\Local\Temp\fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe
  "C:\Users\Admin\AppData\Local\Temp\fb9ff8cbde506cb2cfdb40e88fe3fd6877a2e9945a71f07c7252647271763e71.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/904-132-0x0000000000E80000-0x0000000000F58000-memory.dmp

Filesize
864KB

Download
memory/904-133-0x0000000005920000-0x00000000059BC000-memory.dmp

Filesize
624KB

Download
memory/904-134-0x0000000005F70000-0x0000000006514000-memory.dmp

Filesize
5.6MB

Download
memory/904-135-0x00000000059C0000-0x0000000005A52000-memory.dmp

Filesize
584KB

Download
memory/904-136-0x0000000005900000-0x000000000590A000-memory.dmp

Filesize
40KB

Download
memory/904-137-0x0000000005C20000-0x0000000005C76000-memory.dmp

Filesize
344KB

Download
memory/3648-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3648-140-0x0000000001740000-0x0000000001A8A000-memory.dmp

Filesize
3.3MB

Download