formbook | 9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970

Analysis

max time kernel
135s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
08/06/2023, 10:53

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe
Size

968KB
MD5

31b4c9a8410d02e19dfd38ac81944b90
SHA1

3196a4fa70bae053fa9c4aabb34eef6d6c8d1516
SHA256

9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970
SHA512

8b15ecce9f6efb4c22a34cf4d0b58b2da3b25f73e3ec0794959c111582902f1386de73eb01bc84ae83fdee195600f1f5363a4e711e230dcd8fa11acd07a0c541
SSDEEP

24576:ddeb8P0iW3NMWVp+0w1Nj2dglxwmEgwF96fk:rP0iAiWP+0wDggsmEgmqk

Score

10^/10

formbook gg04 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gg04

Decoy

clothandsoulfabricllc.com

kx1336.com

4638.global

fixlaunchcredtunionmemb.online

indivexport.com

betuluzun.online

colossusboutique.com

hgcst.com

authorizer.online

hong-travel.com

globalwealthstrategiesco.com

fobberq.com

tribally.net

cook-a.com

todipjane.africa

membershipexams.africa

3dseal.online

abris-spb.ru

mkkkkk.net

chargecentral.store

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4608-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4368 set thread context of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4608	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe
4608	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4368 wrote to memory of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90
PID 4368 wrote to memory of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90
PID 4368 wrote to memory of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90
PID 4368 wrote to memory of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90
PID 4368 wrote to memory of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90
PID 4368 wrote to memory of 4608	4368	9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe	90

C:\Users\Admin\AppData\Local\Temp\9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe
"C:\Users\Admin\AppData\Local\Temp\9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4368
- C:\Users\Admin\AppData\Local\Temp\9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe
  "C:\Users\Admin\AppData\Local\Temp\9867dc4c4aad89a47aa9fcdc726b5296dac1a3150520140e6d7da4836448d970.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4368-133-0x0000000000280000-0x0000000000378000-memory.dmp

Filesize
992KB

Download
memory/4368-134-0x0000000005300000-0x00000000058A4000-memory.dmp

Filesize
5.6MB

Download
memory/4368-135-0x0000000004DF0000-0x0000000004E82000-memory.dmp

Filesize
584KB

Download
memory/4368-136-0x0000000004D30000-0x0000000004D3A000-memory.dmp

Filesize
40KB

Download
memory/4368-137-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4368-138-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/4368-139-0x0000000006BC0000-0x0000000006C5C000-memory.dmp

Filesize
624KB

Download
memory/4608-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4608-142-0x0000000001340000-0x000000000168A000-memory.dmp

Filesize
3.3MB

Download