formbook | 136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e

Analysis

max time kernel
142s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
06-07-2023 11:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
Size

774KB
MD5

6d594b093b4d5aef208807fcebf40e05
SHA1

dcb78d2eaa1f882f3ab142e11844bde48f1c6834
SHA256

136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e
SHA512

6fae1f69e451c374810061bb53dbe5377c4e6fa48b98769ce599aa37518a05b6350e385394ad8734bbcd12db69c6ac83e3f198e8f859cc3640327f03b5ebf5e7
SSDEEP

12288:/d6L7PVYfgiKbhaDnLMzIL2q+RTdOL8c9Ve20pNiWtvGQAPpPM89ztTVqvbTlTPe:IOyqGUL8cmNrtwP95zRVqv/lz5iQ5c

Score

10^/10

formbook ga93 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ga93

Decoy

wetherd.africa

beedule.com

examhacker.africa

clcgfwz.com

comparingthecloud.com

linehansenbooks.com

ihdshvbp.shop

barrickgold.shop

dynamicsinplay.com

lechon.digital

gethuger.online

midnight-iog.net

gateregistry.shop

chasescentoil.com

kupitprava.info

klopv.online

flylabel.tech

growthnonstop.com

internazional.com

cyxmzy.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3104-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4604 set thread context of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
3104	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
3104	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4604 wrote to memory of 4760	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	90
PID 4604 wrote to memory of 4760	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	90
PID 4604 wrote to memory of 4760	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	90
PID 4604 wrote to memory of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91
PID 4604 wrote to memory of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91
PID 4604 wrote to memory of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91
PID 4604 wrote to memory of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91
PID 4604 wrote to memory of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91
PID 4604 wrote to memory of 3104	4604	136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe	91

C:\Users\Admin\AppData\Local\Temp\136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
"C:\Users\Admin\AppData\Local\Temp\136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4604
- C:\Users\Admin\AppData\Local\Temp\136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
  "C:\Users\Admin\AppData\Local\Temp\136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe"
  2⤵
  PID:4760
- C:\Users\Admin\AppData\Local\Temp\136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe
  "C:\Users\Admin\AppData\Local\Temp\136c006862c2262205fa40f61daaf18a5d4209bebc0236d7c8743ec554d0482e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3104-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3104-142-0x00000000012E0000-0x000000000162A000-memory.dmp

Filesize
3.3MB

Download
memory/4604-133-0x0000000000C30000-0x0000000000CF6000-memory.dmp

Filesize
792KB

Download
memory/4604-134-0x0000000005BC0000-0x0000000006164000-memory.dmp

Filesize
5.6MB

Download
memory/4604-135-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/4604-136-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4604-137-0x0000000005770000-0x000000000577A000-memory.dmp

Filesize
40KB

Download
memory/4604-138-0x0000000005650000-0x0000000005660000-memory.dmp

Filesize
64KB

Download
memory/4604-139-0x0000000007050000-0x00000000070EC000-memory.dmp

Filesize
624KB

Download