formbook | 18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98

Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Analysis

max time kernel
118s
max time network
148s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
24-07-2023 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
Size

723KB
MD5

b659d359a6fafaf7954c78199552852e
SHA1

027ce3b08fe9c0c47114d6711fb26551eba96a72
SHA256

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a
SHA512

6699fc5fa65b322edb6ea59062b36deb2a33e481c608a49503c24d3479d7a1feed07ddcefdd9987e9943b5999125148c9330a1717db4f1e10a7377d4a6ef5689
SSDEEP

12288:Duc81q9I6/kldSCF3/86K+/YpJ6zFJpXZDyaod+ik4g8y3SoD:Duc8OM/8l+/2JW/JW2rEloD

Score

10^/10

formbook hkn rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hkn

Decoy

nickherbal.info

desenlicoraplar.com

logo8023.com

gta5.ltd

surgicalmind.com

sigmanautomotive.com

theophileblog.com

wallaborate.com

ottawatotalfootcare.com

theusacoupons.com

lagharha.com

393351u.info

letthemeatcakeny.com

imgoingtohellgame.com

lovedovesbeauty.com

cheapsalenow.com

prodigynebula.win

suzhoucheckmate.com

splashautopark.com

lieflokken.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral15/memory/2800-64-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
2800	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2436	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	30
PID 2100 wrote to memory of 2436	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	30
PID 2100 wrote to memory of 2436	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	30
PID 2100 wrote to memory of 2436	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	30
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31
PID 2100 wrote to memory of 2800	2100	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	31

C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
"C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
  "{path}"
  2⤵
  PID:2436
- C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2800

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2100-65-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-55-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-56-0x0000000000330000-0x000000000033A000-memory.dmp

Filesize
40KB

Download
memory/2100-57-0x0000000074290000-0x000000007497E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-58-0x0000000004A90000-0x0000000004AD0000-memory.dmp

Filesize
256KB

Download
memory/2100-59-0x0000000000AA0000-0x0000000000ADA000-memory.dmp

Filesize
232KB

Download
memory/2100-54-0x0000000001010000-0x00000000010CC000-memory.dmp

Filesize
752KB

Download
memory/2800-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2800-62-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2800-64-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2800-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2800-66-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/2800-67-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download