formbook | 841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410

Analysis

max time kernel
51s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
08-06-2023 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
Size

816KB
MD5

f9df3670e25d3846200606958b47c4e5
SHA1

1177bfdae58c9f07f1bfc4d873a02562423c20d8
SHA256

841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410
SHA512

9895e4d8bf6649838aefe23fa904d70256dac09003d4b18b1a5bda7c61896c30982828077e349810d88492ae6eacb3721ff3a82fc83975f6d8c4599c459bb6d4
SSDEEP

12288:1S8hue/3H1OdvmnHKpBnM8NU1TwBiW7okCT66tk0riptH+VO8kevckNx:1BOdv8KpS8dBX7o7Fctekk

Score

10^/10

formbook ga36 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ga36

Decoy

700kitchen.com

udda.app

fractionalgc.tech

tipmercados.net

2-upapparel.net

directbookdiscount.com

koewetzeltours.com

d7c8-iuxt.com

hamaancook.com

benjaimnmoore.com

yimaglobal.africa

dispovapo.com

aseguvenlik.com

battery-worth.com

dddanbao.mobi

blueskyauberge.com

740.mobi

betterbonella.com

liverally.club

czubao.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/588-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 916 set thread context of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
588	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 564	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	27
PID 916 wrote to memory of 564	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	27
PID 916 wrote to memory of 564	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	27
PID 916 wrote to memory of 564	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	27
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28
PID 916 wrote to memory of 588	916	841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe	28

C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
"C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:916
- C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
  "C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe"
  2⤵
  PID:564
- C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe
  "C:\Users\Admin\AppData\Local\Temp\841f916fd211961d16b57c00fede97127720d6d2ea52e914fa13661b1d728410.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:588

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/588-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/588-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/588-64-0x0000000000A40000-0x0000000000D43000-memory.dmp

Filesize
3.0MB

Download
memory/916-54-0x0000000001250000-0x0000000001322000-memory.dmp

Filesize
840KB

Download
memory/916-55-0x0000000004E10000-0x0000000004E50000-memory.dmp

Filesize
256KB

Download
memory/916-56-0x0000000000200000-0x000000000020E000-memory.dmp

Filesize
56KB

Download
memory/916-57-0x0000000000270000-0x000000000027A000-memory.dmp

Filesize
40KB

Download
memory/916-58-0x00000000052A0000-0x0000000005310000-memory.dmp

Filesize
448KB

Download
memory/916-59-0x0000000000600000-0x0000000000638000-memory.dmp

Filesize
224KB

Download