formbook | fbaea63cf0928cdd548719ce257ea3813b92a8765f561bbe7e8842e7d830b87e

Analysis

max time kernel
44s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09/06/2023, 08:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e960f10f4c8fd0f6b380743439c91fdb.exe
Size

946KB
MD5

e960f10f4c8fd0f6b380743439c91fdb
SHA1

ccf3feb1d2f7e01c0732fee057e01d13285eb90d
SHA256

fbaea63cf0928cdd548719ce257ea3813b92a8765f561bbe7e8842e7d830b87e
SHA512

cf22f2fdb305bdff5a7d25a5d1e5e7db097df391e56f66cfc2c5118f1cf063a0123eb2be6e978d6909ca856fad814eb0be65d2ac45d3dab918ef3c8869d189db
SSDEEP

24576:PuHeMjlSADnET+YvWBThrbJnJz+ydKbxsg:2+Q7DErvchJ6QKFs

Score

10^/10

formbook btrd rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

toulouse.gold

launchyouglobal.com

margarita-services.com

dasnail.club

casa-hilo.com

hardscapesofflorida.com

thepositivitypulse.com

kkmyanev.cfd

love6ace22.top

castorcruise.com

chch6.com

h59f07jy.cfd

saatvikteerthyatra.com

fxsecuretrading-option.com

mostbet-k1o.click

36-m.beauty

ko-or-a-news.com

eurekatextile.com

gynlkj.com

deepsouthcraftsman.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1476-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1644 set thread context of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1644	e960f10f4c8fd0f6b380743439c91fdb.exe
1476	e960f10f4c8fd0f6b380743439c91fdb.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1644	e960f10f4c8fd0f6b380743439c91fdb.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1644 wrote to memory of 560	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	28
PID 1644 wrote to memory of 560	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	28
PID 1644 wrote to memory of 560	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	28
PID 1644 wrote to memory of 560	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	28
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29
PID 1644 wrote to memory of 1476	1644	e960f10f4c8fd0f6b380743439c91fdb.exe	29

C:\Users\Admin\AppData\Local\Temp\e960f10f4c8fd0f6b380743439c91fdb.exe
"C:\Users\Admin\AppData\Local\Temp\e960f10f4c8fd0f6b380743439c91fdb.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1644
- C:\Users\Admin\AppData\Local\Temp\e960f10f4c8fd0f6b380743439c91fdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e960f10f4c8fd0f6b380743439c91fdb.exe"
  2⤵
  PID:560
- C:\Users\Admin\AppData\Local\Temp\e960f10f4c8fd0f6b380743439c91fdb.exe
  "C:\Users\Admin\AppData\Local\Temp\e960f10f4c8fd0f6b380743439c91fdb.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1476

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1476-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1476-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1476-64-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download
memory/1644-54-0x0000000000CF0000-0x0000000000DE2000-memory.dmp

Filesize
968KB

Download
memory/1644-55-0x0000000004DA0000-0x0000000004DE0000-memory.dmp

Filesize
256KB

Download
memory/1644-56-0x00000000003E0000-0x00000000003F4000-memory.dmp

Filesize
80KB

Download
memory/1644-57-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1644-58-0x0000000005D10000-0x0000000005D80000-memory.dmp

Filesize
448KB

Download
memory/1644-59-0x0000000000A80000-0x0000000000AB8000-memory.dmp

Filesize
224KB

Download