formbook | 9ba86919308607097ed2da7d7857626435ab53b8b00b88f826fb1f403013fc7c

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 07:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
Size

861KB
MD5

69c7175b6059bc3ef1f2d115e8f849a3
SHA1

ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb
SHA256

9ba86919308607097ed2da7d7857626435ab53b8b00b88f826fb1f403013fc7c
SHA512

093d47fac1cf86a8f9c47a44a33977b5548024b037196350e49eb8363ff333e2ade232c9b02dd1a6ff2742c9e81ca11a651d2757e7b11904309f4e0306a27207
SSDEEP

12288:Z3ZKHRfBUCDkdTWrifH7IINt0gpWOJSqLRrSfN9YnZNM0MSvhh7LUQw:5ZofBUCDcTZPWOTdS1Cn/M0MSvfS

Score

10^/10

formbook ned5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ned5

Decoy

asian-dating-42620.com

ttg06.com

cupandbelle.com

prepaidprocess.com

jrzkt.com

hdgby2.com

finnnann.com

chillpill-shoppygood.com

sfdgg.online

articlerewritertool.net

cdjxsculture.com

omnificare.info

lasafblanch.com

omaxfort.xyz

spk.info

shb1368.com

jewelry-10484.com

hubsp0t.com

shronky.com

yangjh34.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4408-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2088 set thread context of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
4408	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
4408	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 4704	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	83
PID 2088 wrote to memory of 4704	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	83
PID 2088 wrote to memory of 4704	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	83
PID 2088 wrote to memory of 2320	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	84
PID 2088 wrote to memory of 2320	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	84
PID 2088 wrote to memory of 2320	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	84
PID 2088 wrote to memory of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85
PID 2088 wrote to memory of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85
PID 2088 wrote to memory of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85
PID 2088 wrote to memory of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85
PID 2088 wrote to memory of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85
PID 2088 wrote to memory of 4408	2088	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	85

C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
"C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
  "{path}"
  2⤵
  PID:4704
- C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
  "{path}"
  2⤵
  PID:2320
- C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2088-132-0x0000000000310000-0x00000000003EE000-memory.dmp

Filesize
888KB

Download
memory/2088-133-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/2088-134-0x0000000004E00000-0x0000000004E92000-memory.dmp

Filesize
584KB

Download
memory/2088-135-0x0000000004EA0000-0x0000000004F3C000-memory.dmp

Filesize
624KB

Download
memory/2088-136-0x0000000004D70000-0x0000000004D7A000-memory.dmp

Filesize
40KB

Download
memory/2320-138-0x0000000000000000-mapping.dmp

Download
memory/4408-139-0x0000000000000000-mapping.dmp

Download
memory/4408-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4408-141-0x0000000001470000-0x00000000017BA000-memory.dmp

Filesize
3.3MB

Download
memory/4704-137-0x0000000000000000-mapping.dmp

Download