formbook | 9c3d5704da83029f78ee8cf532c746cd04834f5375a698f21c50040ade6c5a09

Analysis

max time kernel
138s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2023, 18:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5bc95f5d8d3bf878098d8527bc679545.exe
Size

680KB
MD5

5bc95f5d8d3bf878098d8527bc679545
SHA1

88611ceeb815ac8f33599a2b6ab8ac6259621260
SHA256

9c3d5704da83029f78ee8cf532c746cd04834f5375a698f21c50040ade6c5a09
SHA512

cf536998a992d89b78e16e6add5d901ef4383558a499f93adb5c978967f2d260c8e60487ffbafcc6094f2ae60214612696c27c7fe560808450727493801e082e
SSDEEP

12288:LBdsgj8Qph9X8ADOlBRUP+FKfY+EMlwpk5n5Hnll:HBj8G38Jr6cx+yWLnj

Score

10^/10

formbook ks01 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ks01

Decoy

glchqx.com

acpwatertreatment.co.uk

hannahschepmann.com

cvcv49.top

crazy-for-promotion.online

goldstreamacademy.africa

erasure.monster

judiangka.boats

fli.group

94ebuy.com

enjoyvet.com

box618.shop

formdr.dev

rivierabathrooms.co.uk

drawntocolour.com

digitalworldobserver.com

lonelinessindex.com

coachifyfunnels.com

abeloewen.com

bahujan.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4732-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4564 set thread context of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4732	5bc95f5d8d3bf878098d8527bc679545.exe
4732	5bc95f5d8d3bf878098d8527bc679545.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4564 wrote to memory of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96
PID 4564 wrote to memory of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96
PID 4564 wrote to memory of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96
PID 4564 wrote to memory of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96
PID 4564 wrote to memory of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96
PID 4564 wrote to memory of 4732	4564	5bc95f5d8d3bf878098d8527bc679545.exe	96

C:\Users\Admin\AppData\Local\Temp\5bc95f5d8d3bf878098d8527bc679545.exe
"C:\Users\Admin\AppData\Local\Temp\5bc95f5d8d3bf878098d8527bc679545.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4564
- C:\Users\Admin\AppData\Local\Temp\5bc95f5d8d3bf878098d8527bc679545.exe
  "C:\Users\Admin\AppData\Local\Temp\5bc95f5d8d3bf878098d8527bc679545.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4564-133-0x0000000000FA0000-0x000000000104E000-memory.dmp

Filesize
696KB

Download
memory/4564-134-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/4564-135-0x0000000006320000-0x00000000068C4000-memory.dmp

Filesize
5.6MB

Download
memory/4564-136-0x0000000005E30000-0x0000000005EC2000-memory.dmp

Filesize
584KB

Download
memory/4564-137-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/4564-138-0x0000000006F70000-0x000000000700C000-memory.dmp

Filesize
624KB

Download
memory/4564-139-0x0000000005CF0000-0x0000000005D00000-memory.dmp

Filesize
64KB

Download
memory/4732-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4732-142-0x0000000001640000-0x000000000198A000-memory.dmp

Filesize
3.3MB

Download