formbook | 1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f

Analysis

max time kernel
45s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-02-2023 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe
Size

665KB
MD5

1671739b7061eae33d9603cf5e213207
SHA1

00eda59ab9ff4c9358a5b0dc0abdac7b4a2b1c95
SHA256

1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f
SHA512

ee15df28f2279b6ced82afb9c69eafcf372858148d1eee3098098eb8bef1a54731de7945507e89ccadb730aa0ea68f5a7b7a8f77aec84ba3891abff3fba9f9d6
SSDEEP

12288:yC66Bm2iNNRsdvtyAL7pYiRas42N4omRcXnUqMYjfCP66B:vVM1rRsdvzLjaSdh2PV

Score

10^/10

formbook cr63 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cr63

Decoy

kontorsprylar.com

efefeatable.buzz

gbmorningnews.online

bbntherapy.com

achmadsyafii.com

hrunmall7489.com

blurens-de.com

fadalinovaes.net

sahalenergy.com

486947.com

thelabresults.africa

ldkjcu8.vip

5t8nds.live

kapokbay.com

vieop.online

cristiebussey.com

exsharebuddy.com

back9grillclgc.com

danielsnetworkingsecurity.com

dutcode-xyz.net

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/1616-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook
behavioral1/memory/1616-64-0x000000000041F090-mapping.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1864 set thread context of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1616	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26
PID 1864 wrote to memory of 1616	1864	1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe	26

C:\Users\Admin\AppData\Local\Temp\1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe
"C:\Users\Admin\AppData\Local\Temp\1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Users\Admin\AppData\Local\Temp\1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe
  "C:\Users\Admin\AppData\Local\Temp\1bdc70b47e7a3cfd638eca937ad2117c53ac6cf9fe042cd46fcbc9971d06504f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1616

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1616-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1616-64-0x000000000041F090-mapping.dmp

Download
memory/1616-65-0x0000000000930000-0x0000000000C33000-memory.dmp

Filesize
3.0MB

Download
memory/1864-54-0x0000000001080000-0x000000000112C000-memory.dmp

Filesize
688KB

Download
memory/1864-55-0x0000000075911000-0x0000000075913000-memory.dmp

Filesize
8KB

Download
memory/1864-56-0x0000000000320000-0x0000000000332000-memory.dmp

Filesize
72KB

Download
memory/1864-57-0x00000000003F0000-0x00000000003FA000-memory.dmp

Filesize
40KB

Download
memory/1864-58-0x0000000004E00000-0x0000000004E70000-memory.dmp

Filesize
448KB

Download
memory/1864-59-0x0000000004830000-0x0000000004866000-memory.dmp

Filesize
216KB

Download