formbook | 9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570

Analysis

max time kernel
45s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
03-01-2023 05:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
Size

631KB
MD5

7d6ff1922141c5a973665b8fbf23ad28
SHA1

d3e359ba67218bc6ee10a87fb4e5f4d811f2b8cd
SHA256

9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570
SHA512

009cb7a687d11300a01ebf506abd0d91bc43b199ac8bea0155cfc9c86ae19640fbb2422ed4390ee2c0b4ffa7501849b6e225bbd25300d032e107e7a03baede7e
SSDEEP

12288:AwhuJ1Qvhzps7LZ3CUlebztjq7dfaveSS8Ol7amatoVYX9csg87:zuJWs7LZoztjqTS5Ol7akVYXy5

Score

10^/10

formbook d06c rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d06c

Decoy

douglasdetoledopiza.com

yxcc.online

primo.llc

mediamomos.com

cosmetiq-pro.com

22labs.tech

turbowashing.com

lindaivell.site

princess-bed.club

groundget.cfd

agretaminiousa.com

lomoni.com

nessesse.us

lexgo.cloud

halilsener.xyz

kirokubo.cloud

corotip.sbs

meghq.net

5y6s.world

weasib.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/644-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/644-64-0x000000000041F120-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

description	pid	process	target process
PID 840 set thread context of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

pid process

644 9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

pid	process
644	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

description	pid	process	target process
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
PID 840 wrote to memory of 644	840	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe	9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe

C:\Users\Admin\AppData\Local\Temp\9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
"C:\Users\Admin\AppData\Local\Temp\9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:840

C:\Users\Admin\AppData\Local\Temp\9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe
"C:\Users\Admin\AppData\Local\Temp\9c22f08fc1cbbb249b54adba03b6a03957cef4181c4161401085db2dd4383570.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:644

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/644-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/644-64-0x000000000041F120-mapping.dmp

Download
memory/644-65-0x0000000000B40000-0x0000000000E43000-memory.dmp

Filesize
3.0MB

Download
memory/840-54-0x0000000000A90000-0x0000000000B34000-memory.dmp

Filesize
656KB

Download
memory/840-55-0x0000000075FF1000-0x0000000075FF3000-memory.dmp

Filesize
8KB

Download
memory/840-56-0x0000000002100000-0x000000000211A000-memory.dmp

Filesize
104KB

Download
memory/840-57-0x0000000000750000-0x000000000075C000-memory.dmp

Filesize
48KB

Download
memory/840-58-0x00000000050F0000-0x0000000005160000-memory.dmp

Filesize
448KB

Download
memory/840-59-0x00000000044B0000-0x00000000044E4000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads