formbook | 91d502f918a232073359481d07dc7ba2d21b7675bcdc3e3cd0440f1cc9557833

Analysis

max time kernel
32s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
30/03/2023, 17:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9f11abb5fbd7478a8fe993cfe8aac52.exe
Size

762KB
MD5

d9f11abb5fbd7478a8fe993cfe8aac52
SHA1

4ef674f52ba7fb3d8f6ba2ddd2466b5da24b9b20
SHA256

91d502f918a232073359481d07dc7ba2d21b7675bcdc3e3cd0440f1cc9557833
SHA512

249691279cf3c7e04e757eb1300e88c748245f4cd5e5029fb9dd7eea6de943d7cf4b3dc831b8ce84b96f43e11300f2071b3d5c6866fbd436cc038fd53fd063bd
SSDEEP

12288:NQxxBLyywVex3ozH9eqFYLIIm3JkKNzXsle5Cocz6:NknwVegHsqFIliBzXs8

Score

10^/10

formbook ne28 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ne28

Decoy

basic-careitem.net

healstockton.com

groupetalentapro.com

geseconevent.com

adornmentwithadrienne.com

lazylynx.se

forestwerx.com

labishu.com

hilykan.com

beyondyoursenses.co.uk

inno-imc.com

driverrehab.online

mantlepies.co.uk

sicepat.net

kiwitownkids.com

infiniumsource.com

motorsolutionswithmakro.co.uk

6pg.shop

zijlont.xyz

corpusskencar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/268-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1204 set thread context of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
268	d9f11abb5fbd7478a8fe993cfe8aac52.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28
PID 1204 wrote to memory of 268	1204	d9f11abb5fbd7478a8fe993cfe8aac52.exe	28

C:\Users\Admin\AppData\Local\Temp\d9f11abb5fbd7478a8fe993cfe8aac52.exe
"C:\Users\Admin\AppData\Local\Temp\d9f11abb5fbd7478a8fe993cfe8aac52.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Users\Admin\AppData\Local\Temp\d9f11abb5fbd7478a8fe993cfe8aac52.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:268

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/268-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/268-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/268-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/268-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/268-64-0x0000000000A60000-0x0000000000D63000-memory.dmp

Filesize
3.0MB

Download
memory/1204-54-0x00000000000B0000-0x0000000000174000-memory.dmp

Filesize
784KB

Download
memory/1204-55-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/1204-56-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/1204-57-0x0000000002040000-0x0000000002080000-memory.dmp

Filesize
256KB

Download
memory/1204-58-0x0000000005280000-0x0000000005308000-memory.dmp

Filesize
544KB

Download
memory/1204-59-0x0000000000980000-0x00000000009B4000-memory.dmp

Filesize
208KB

Download