formbook | 6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
10/10/2023, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
Size

700KB
MD5

32eca73388c09d03aa06f7f87602fac2
SHA1

8fff30284e55a9c9cf8d1838bb2158249c8f9677
SHA256

6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60
SHA512

73e74da117a4ea5fb4fe5b1d44c6733d049ec2d35250f5340b0ba7aab73bd61f282f35762745a511b9bd98bdeee2ff3de19d176905dfbd5bb65a30640206545a
SSDEEP

12288:wbl/Hdeyg7s9dERt9vy64AvWxSWOhf6GxK0psn7TpBi2ZUfOr5eVssmnxSGcIoH:o/HdeP7s96/dD4AF1xgosZw2ZUfO

Score

10^/10

formbook ur25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ur25

Decoy

discountstoreonline.store

profitwavemastery.com

cvqqrc9j.top

easyhub.xyz

dynamicelevateemporium.online

hlcapp.com

jayanamachine.com

agyaie.com

rentthecostume.net

jvjjdjsf.top

ratce.xyz

pensoupecas.com

nnc375.xyz

beingfrankwithcash.com

simplysoaps.store

jugouqduj.top

rampageoriginal.com

tigglywinks.com

stillnightjohns.fun

exchadom002.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2748-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1624 set thread context of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
2748	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28
PID 1624 wrote to memory of 2748	1624	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	28

C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1624
- C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2748

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1624-6-0x00000000005D0000-0x00000000005E0000-memory.dmp

Filesize
64KB

Download
memory/1624-15-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/1624-2-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/1624-3-0x00000000004B0000-0x00000000004C8000-memory.dmp

Filesize
96KB

Download
memory/1624-4-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/1624-5-0x00000000004D0000-0x0000000000510000-memory.dmp

Filesize
256KB

Download
memory/1624-7-0x0000000007300000-0x000000000736E000-memory.dmp

Filesize
440KB

Download
memory/1624-0-0x0000000000940000-0x00000000009F6000-memory.dmp

Filesize
728KB

Download
memory/1624-1-0x00000000741D0000-0x00000000748BE000-memory.dmp

Filesize
6.9MB

Download
memory/2748-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2748-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2748-16-0x0000000000A00000-0x0000000000D03000-memory.dmp

Filesize
3.0MB

Download