formbook | 5eb2fdddbd470e55de54cab50d8906e00eb202714c9b0cb2fd95b4b58b3a125b

Analysis

max time kernel
43s
max time network
34s
platform
windows7_x64
resource
win7-20230703-en
resource tags

arch:x64arch:x86image:win7-20230703-enlocale:en-usos:windows7-x64system
submitted
08/07/2023, 03:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28cef10cd2959bbf874933daa5b5b899.exe
Size

551KB
MD5

28cef10cd2959bbf874933daa5b5b899
SHA1

4ee820e40ff8b9dde9d42a94a9cfb0b002a476af
SHA256

5eb2fdddbd470e55de54cab50d8906e00eb202714c9b0cb2fd95b4b58b3a125b
SHA512

1c25ab2b2a581606de55be7730a24427d49c5f8b18c8ad4e4e74f41f20a6ac0f9667a19421854e821f06e7c26cfa52a5f2686e231b5c8ee3546a600cee744a20
SSDEEP

12288:0BFdU55zwQP8KoC74LvZGb5U7tej0MHwhiqHnXP55GfYzth/K5Q:0BF61/Um4LvZ/QZw9X3GfGth/K5Q

Score

10^/10

formbook k2l0 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2l0

Decoy

thaomocquysonla.click

everblue-scr.com

yifangwuliu.top

zmrwe.buzz

xiaodong6.xyz

apartmentsforrent-gb-tok.bond

mtproductions.xyz

yattaya.com

thetastyfoodguide.com

gulfcoastclubfishing.com

capitalrepros.com

sonetpl.com

amenallelulia.com

shafanavn.com

1ywab.com

getflooringservices.today

quanhuipeng.com

tinytribecollective.com

mollyandpat.com

280175053.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2216-63-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3044 set thread context of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2216	28cef10cd2959bbf874933daa5b5b899.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28
PID 3044 wrote to memory of 2216	3044	28cef10cd2959bbf874933daa5b5b899.exe	28

C:\Users\Admin\AppData\Local\Temp\28cef10cd2959bbf874933daa5b5b899.exe
"C:\Users\Admin\AppData\Local\Temp\28cef10cd2959bbf874933daa5b5b899.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Users\Admin\AppData\Local\Temp\28cef10cd2959bbf874933daa5b5b899.exe
  "C:\Users\Admin\AppData\Local\Temp\28cef10cd2959bbf874933daa5b5b899.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2216-64-0x0000000000B10000-0x0000000000E13000-memory.dmp

Filesize
3.0MB

Download
memory/3044-54-0x0000000000A80000-0x0000000000B10000-memory.dmp

Filesize
576KB

Download
memory/3044-55-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/3044-56-0x0000000000230000-0x000000000023C000-memory.dmp

Filesize
48KB

Download
memory/3044-57-0x0000000004E80000-0x0000000004EC0000-memory.dmp

Filesize
256KB

Download
memory/3044-58-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/3044-59-0x00000000053A0000-0x000000000540E000-memory.dmp

Filesize
440KB

Download