formbook | 238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458

Analysis

max time kernel
123s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
04/07/2023, 13:20

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe
Size

238KB
MD5

8ec5b6656574a65d6f57b1f27decd161
SHA1

6cfb91be22a7c684e04cdc3e4e36f3c43c7e702f
SHA256

238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458
SHA512

b0848c25c587590b47349faef70e48f64995fbe566bcd55bf360181193bc04f5af5d18a1bfd85f01c7d3b01c6d69f11b4d2b8f21bd6fcaf5cbc82a2b5112f933
SSDEEP

6144:PYa6VVMUOy1kznVL5hQg0KLB2GkjRLL7w6rdv+:PYfmukbVLH70KMJjRbw6rdv+

Score

10^/10

formbook da23 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

da23

Decoy

jiuse896.com

htdingguanji.com

gbwnxhdxaudxi.com

stakoov.com

tuttu517.com

shubaerc.com

bytxon.xyz

9ihoa7.com

pacificpanacea.com

hubawatch.com

hei0obbq8sp9te.xyz

19xqe6.cfd

anagecre.com

fwradi.online

45188.icu

institutdelama.com

picateers.pro

ewmsty.site

yamaharigs.com

jistream.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4764-141-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Loads dropped DLL 1 IoCs

pid	Process
3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3844 set thread context of 4764	3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe	82

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4764	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe
4764	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 3844 wrote to memory of 4764	3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe	82
PID 3844 wrote to memory of 4764	3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe	82
PID 3844 wrote to memory of 4764	3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe	82
PID 3844 wrote to memory of 4764	3844	238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe	82

C:\Users\Admin\AppData\Local\Temp\238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe
"C:\Users\Admin\AppData\Local\Temp\238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3844
- C:\Users\Admin\AppData\Local\Temp\238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe
  "C:\Users\Admin\AppData\Local\Temp\238864be2d731bc5838b95c8bb50b961d19f04b6b64d3daf323db967266fa458.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nskD1AA.tmp\xnkkwcvzv.dll

Filesize
10KB

MD5
76c9bc90fe94ed2de99af273900404dc

SHA1
8e23684dbe55183c6916f1533ff1870c85d6fdeb

SHA256
4e2bb7ba85a7232e9d9e1e0918e0e0a2f919a4e184fa18f61e312830070728ae

SHA512
1acd615bb5948c27e52ecc855f9a7ec32d84f2d6411a8e036f4570d289fa9baf377d503fe81098172f074d70d1b852413261239b1ca03a04a8778c6867a95ae6

Download Submit
memory/3844-140-0x0000000000B70000-0x0000000000B72000-memory.dmp

Filesize
8KB

Download
memory/4764-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4764-144-0x0000000000A90000-0x0000000000DDA000-memory.dmp

Filesize
3.3MB

Download