formbook | 18fcb8604dc88c010d786be917f618a461876f5db6f80f1f8a64bc3b8fe48a98

Resubmissions

24-07-2023 06:32

230724-haylwaag65 10

16-07-2023 18:15

230716-wwbacshb7z 10

Analysis

max time kernel
116s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 06:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
Size

723KB
MD5

b659d359a6fafaf7954c78199552852e
SHA1

027ce3b08fe9c0c47114d6711fb26551eba96a72
SHA256

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a
SHA512

6699fc5fa65b322edb6ea59062b36deb2a33e481c608a49503c24d3479d7a1feed07ddcefdd9987e9943b5999125148c9330a1717db4f1e10a7377d4a6ef5689
SSDEEP

12288:Duc81q9I6/kldSCF3/86K+/YpJ6zFJpXZDyaod+ik4g8y3SoD:Duc8OM/8l+/2JW/JW2rEloD

Score

10^/10

formbook hkn rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hkn

Decoy

nickherbal.info

desenlicoraplar.com

logo8023.com

gta5.ltd

surgicalmind.com

sigmanautomotive.com

theophileblog.com

wallaborate.com

ottawatotalfootcare.com

theusacoupons.com

lagharha.com

393351u.info

letthemeatcakeny.com

imgoingtohellgame.com

lovedovesbeauty.com

cheapsalenow.com

prodigynebula.win

suzhoucheckmate.com

splashautopark.com

lieflokken.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral16/memory/1108-140-0x0000000000400000-0x000000000042D000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

description	pid	process	target process
PID 1940 set thread context of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

pid	process
1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
1108	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
1108	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

description pid process

Token: SeDebugPrivilege 1940 1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

description	pid	process
Token: SeDebugPrivilege	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

description	pid	process	target process
PID 1940 wrote to memory of 4656	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 4656	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 4656	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
PID 1940 wrote to memory of 1108	1940	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe	1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe

C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
"C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1940

C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
"{path}"
2⤵
PID:4656

C:\Users\Admin\AppData\Local\Temp\1f7f6ca2d7c0431e07e974158a6e23129fdc19994f687be71daa68aa82b4510a.exe
"{path}"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1108

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-140-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/1108-143-0x0000000000F60000-0x00000000012AA000-memory.dmp

Filesize
3.3MB

Download
memory/1940-133-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1940-134-0x0000000000030000-0x00000000000EC000-memory.dmp

Filesize
752KB

Download
memory/1940-135-0x0000000004A80000-0x0000000004B1C000-memory.dmp

Filesize
624KB

Download
memory/1940-136-0x0000000004BC0000-0x0000000004C52000-memory.dmp

Filesize
584KB

Download
memory/1940-137-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download
memory/1940-138-0x0000000002390000-0x00000000023A0000-memory.dmp

Filesize
64KB

Download
memory/1940-139-0x0000000005780000-0x0000000005D24000-memory.dmp

Filesize
5.6MB

Download
memory/1940-142-0x00000000748B0000-0x0000000075060000-memory.dmp

Filesize
7.7MB

Download