formbook | 9ba86919308607097ed2da7d7857626435ab53b8b00b88f826fb1f403013fc7c

Analysis

max time kernel
31s
max time network
34s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
04-01-2023 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
Size

861KB
MD5

69c7175b6059bc3ef1f2d115e8f849a3
SHA1

ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb
SHA256

9ba86919308607097ed2da7d7857626435ab53b8b00b88f826fb1f403013fc7c
SHA512

093d47fac1cf86a8f9c47a44a33977b5548024b037196350e49eb8363ff333e2ade232c9b02dd1a6ff2742c9e81ca11a651d2757e7b11904309f4e0306a27207
SSDEEP

12288:Z3ZKHRfBUCDkdTWrifH7IINt0gpWOJSqLRrSfN9YnZNM0MSvhh7LUQw:5ZofBUCDcTZPWOTdS1Cn/M0MSvfS

Score

10^/10

formbook ned5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ned5

Decoy

asian-dating-42620.com

ttg06.com

cupandbelle.com

prepaidprocess.com

jrzkt.com

hdgby2.com

finnnann.com

chillpill-shoppygood.com

sfdgg.online

articlerewritertool.net

cdjxsculture.com

omnificare.info

lasafblanch.com

omaxfort.xyz

spk.info

shb1368.com

jewelry-10484.com

hubsp0t.com

shronky.com

yangjh34.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/584-62-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/584-63-0x000000000041F060-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1160 set thread context of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
584	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1160 wrote to memory of 1620	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	28
PID 1160 wrote to memory of 1620	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	28
PID 1160 wrote to memory of 1620	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	28
PID 1160 wrote to memory of 1620	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	28
PID 1160 wrote to memory of 1708	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	29
PID 1160 wrote to memory of 1708	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	29
PID 1160 wrote to memory of 1708	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	29
PID 1160 wrote to memory of 1708	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	29
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30
PID 1160 wrote to memory of 584	1160	ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe	30

C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
"C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1160
- C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
  "{path}"
  2⤵
  PID:1620
- C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
  "{path}"
  2⤵
  PID:1708
- C:\Users\Admin\AppData\Local\Temp\ce6f86b448dca8eade4bc43aac4cc5cf4692bdfb.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:584

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-62-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/584-64-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/1160-54-0x0000000000140000-0x000000000021E000-memory.dmp

Filesize
888KB

Download
memory/1160-55-0x00000000757E1000-0x00000000757E3000-memory.dmp

Filesize
8KB

Download
memory/1160-56-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/1160-57-0x0000000005120000-0x00000000051A6000-memory.dmp

Filesize
536KB

Download
memory/1160-58-0x00000000007D0000-0x0000000000804000-memory.dmp

Filesize
208KB

Download