formbook | 9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60

Analysis

max time kernel
54s
max time network
31s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
29-01-2023 18:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe
Size

456KB
MD5

60be7286ec1b99627d280ecc8836d8bf
SHA1

54275d9e0644a64409c7ebf428fb896b8fc09cc1
SHA256

9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60
SHA512

4e8639fd733c2a95f0c924f30737aaf7751e1464c9cd04624175daadaa4609cfbccfcde9ab566a679434498374fff413c21c3c461f989262d749af3b3887bd2e
SSDEEP

12288:oRg+au+xD+twE66E9b+2Bpme3r8ptnDBMdK+5rT:R39yipnmeb2DmdbT

Score

10^/10

formbook el rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

Decoy

fundayinc.com

91shiping.red

piccgz.com

greylockiceandheating.com

6-15hothamstreetstkildaeast.com

bladspiegel.com

xn--ruq41buok09a6r0azmh.com

reallifeandlipstick.com

wwwjinsha594.com

wpnull.info

dtaubman.net

eldhw.win

caringhouseholds.com

texasisrael.com

confiservice.com

unihome.store

xn--doqs90b84tkjg.com

xuanweiping.com

edictiosapiens.com

kalkulatorkredytow.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/964-62-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2036 set thread context of 964	2036	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
964	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2036	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
964	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2036 wrote to memory of 964	2036	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe	28
PID 2036 wrote to memory of 964	2036	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe	28
PID 2036 wrote to memory of 964	2036	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe	28
PID 2036 wrote to memory of 964	2036	9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe	28

C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe
"C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe
  C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of UnmapMainImage
  PID:964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/964-62-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/964-63-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download
memory/964-64-0x0000000006970000-0x0000000006C73000-memory.dmp

Filesize
3.0MB

Download
memory/2036-56-0x00000000002F0000-0x00000000002F6000-memory.dmp

Filesize
24KB

Download
memory/2036-57-0x0000000075511000-0x0000000075513000-memory.dmp

Filesize
8KB

Download
memory/2036-59-0x0000000077940000-0x0000000077AC0000-memory.dmp

Filesize
1.5MB

Download