formbook | 708e685f0db9aab8e31d170d6e05f85aa906273fec441a2e4a696fd140f6f0bf

Analysis

max time kernel
166s
max time network
173s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
08/10/2023, 01:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
Size

797KB
MD5

4e0a57febe7c13d6f294ea34cbfc5cbf
SHA1

f52a1d2cb7613c8fea67466dbbbce684541076a5
SHA256

4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875
SHA512

47a2824b4dea833948cde7ad378b5a30a58a7b7945695e556c96858a0c11484ccbed6256c3f7c63035b7de02da4d87619fd26de4913313143d617dac651085a7
SSDEEP

24576:0uLklAVXeIpaVidw9koilGCKfwd2WQkRv0yw1FuZdu:NLvV+19pilHK4dj9R8Hu+

Score

10^/10

formbook ny02 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ny02

Decoy

unirewards.online

giaoxuthanhgia.com

jennifersarrasin.online

hotelcampestrelafloresta.com

rwardsuprefortunerabbit.website

wanguardplacements.com

myfittedbedroomboutique.com

romariiregenerative.com

fashionhabesha.online

q778.top

embodiedtruthmethod.online

petgoodies.store

prismeventsandtours.com

onlinedelight.tech

segoviaresidencial.com

livewin.win

qhyhxs.com

kemprut.com

sanghahealing.net

forcewealthpower.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2216-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2884 set thread context of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2216	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2216	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2884 wrote to memory of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98
PID 2884 wrote to memory of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98
PID 2884 wrote to memory of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98
PID 2884 wrote to memory of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98
PID 2884 wrote to memory of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98
PID 2884 wrote to memory of 2216	2884	4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe	98

C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
"C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe
  "C:\Users\Admin\AppData\Local\Temp\4af5374d05140e1ebf05625397c061e7e6e6396597399880f903cdda22466875.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2216

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2216-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2216-13-0x0000000001580000-0x00000000018CA000-memory.dmp

Filesize
3.3MB

Download
memory/2884-6-0x0000000005A80000-0x0000000005A98000-memory.dmp

Filesize
96KB

Download
memory/2884-3-0x0000000005890000-0x0000000005922000-memory.dmp

Filesize
584KB

Download
memory/2884-4-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/2884-5-0x0000000005810000-0x000000000581A000-memory.dmp

Filesize
40KB

Download
memory/2884-0-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2884-7-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/2884-8-0x0000000005AA0000-0x0000000005AB0000-memory.dmp

Filesize
64KB

Download
memory/2884-9-0x0000000005B20000-0x0000000005B30000-memory.dmp

Filesize
64KB

Download
memory/2884-10-0x0000000008360000-0x00000000083FC000-memory.dmp

Filesize
624KB

Download
memory/2884-11-0x000000000AB20000-0x000000000ABBC000-memory.dmp

Filesize
624KB

Download
memory/2884-2-0x0000000005E40000-0x00000000063E4000-memory.dmp

Filesize
5.6MB

Download
memory/2884-1-0x0000000000D40000-0x0000000000E0E000-memory.dmp

Filesize
824KB

Download
memory/2884-15-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download