formbook | 2088-0-0x0000000000400000-0x000000000052F000-memory[.]dmp

General

Target

2088-0-0x0000000000400000-0x000000000052F000-memory.dmp
Size

1.2MB
MD5

e8d601e6bdc2fab197fb5e2d388a6e97
SHA1

2828fb688005758ee62ed74c99185851378ce1a4
SHA256

fe8315d037828a352f15cdbc1c79ec98ff15e5031603592ec2d49f8421fb7c42
SHA512

52ae7bee8c3c8175a973c2e54649cd9e807fabdca689960b6058378bb9c2e7baff141e46d831154c662d3a5d988e457c34b518996c0007ff55a53f84dbad3e4f
SSDEEP

12288:7dvHD7X2OIU6kka/6HfU4l69SnDOorGNO7c4KuTmvzKI3aCnEjBijKva3CMVBAVz:51/6kk9HfhFnDOoLc4KDbmaDVBAB

Score

10^/10

rat ca formbook

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ca

Decoy

etrade668.com

witchwardrobe.com

fresh-express.info

court-of-protection-abuse.com

mydomaine.pizza

chiquirritmo.com

goldennestconstructions.com

gldqn.com

songkorea.com

epaqint.com

3201wargyle1s.info

batdongsanhungphu.com

higheredandbeyond.com

tenpro25.date

drzcapital.com

corporativoacarsa.com

happyupward.net

aljyc.link

travellerit.com

dazhongpuhui.com

Signatures

Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
sample	formbook

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
2088-0-0x0000000000400000-0x000000000052F000-memory.dmp

Files

2088-0-0x0000000000400000-0x000000000052F000-memory.dmp
.exe windows x86

Headers

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_BYTES_REVERSED_LO
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_BYTES_REVERSED_HI

Sections

CODE
Size: 860KB - Virtual size: 860KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

DATA
Size: 31KB - Virtual size: 31KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

BSS
Size: - Virtual size: 3KB

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.idata
Size: 10KB - Virtual size: 9KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.tls
Size: - Virtual size: 32B

IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rdata
Size: 512B - Virtual size: 24B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 66KB - Virtual size: 65KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.rsrc
Size: 220KB - Virtual size: 219KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

File Characteristics

Sections

CODE Size: 860KB - Virtual size: 860KB

DATA Size: 31KB - Virtual size: 31KB

BSS Size: - Virtual size: 3KB

.idata Size: 10KB - Virtual size: 9KB

.tls Size: - Virtual size: 32B

.rdata Size: 512B - Virtual size: 24B

.reloc Size: 66KB - Virtual size: 65KB

.rsrc Size: 220KB - Virtual size: 219KB

CODE
Size: 860KB - Virtual size: 860KB

DATA
Size: 31KB - Virtual size: 31KB

BSS
Size: - Virtual size: 3KB

.idata
Size: 10KB - Virtual size: 9KB

.tls
Size: - Virtual size: 32B

.rdata
Size: 512B - Virtual size: 24B

.reloc
Size: 66KB - Virtual size: 65KB

.rsrc
Size: 220KB - Virtual size: 219KB