formbook | 6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60

Analysis

max time kernel
146s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2023, 17:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
Size

700KB
MD5

32eca73388c09d03aa06f7f87602fac2
SHA1

8fff30284e55a9c9cf8d1838bb2158249c8f9677
SHA256

6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60
SHA512

73e74da117a4ea5fb4fe5b1d44c6733d049ec2d35250f5340b0ba7aab73bd61f282f35762745a511b9bd98bdeee2ff3de19d176905dfbd5bb65a30640206545a
SSDEEP

12288:wbl/Hdeyg7s9dERt9vy64AvWxSWOhf6GxK0psn7TpBi2ZUfOr5eVssmnxSGcIoH:o/HdeP7s96/dD4AF1xgosZw2ZUfO

Score

10^/10

formbook ur25 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ur25

Decoy

discountstoreonline.store

profitwavemastery.com

cvqqrc9j.top

easyhub.xyz

dynamicelevateemporium.online

hlcapp.com

jayanamachine.com

agyaie.com

rentthecostume.net

jvjjdjsf.top

ratce.xyz

pensoupecas.com

nnc375.xyz

beingfrankwithcash.com

simplysoaps.store

jugouqduj.top

rampageoriginal.com

tigglywinks.com

stillnightjohns.fun

exchadom002.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/860-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3436 set thread context of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
860	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
860	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94
PID 3436 wrote to memory of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94
PID 3436 wrote to memory of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94
PID 3436 wrote to memory of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94
PID 3436 wrote to memory of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94
PID 3436 wrote to memory of 860	3436	6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe	94

C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
"C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\6ec844914b335f0e27b9f536da5691fcc06e6ecc80d0af8dd7bc3ed8b3ee0a60_JC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:860

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/860-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/860-15-0x0000000001570000-0x00000000018BA000-memory.dmp

Filesize
3.3MB

Download
memory/3436-6-0x00000000074B0000-0x00000000074C8000-memory.dmp

Filesize
96KB

Download
memory/3436-3-0x00000000070F0000-0x0000000007182000-memory.dmp

Filesize
584KB

Download
memory/3436-4-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/3436-5-0x00000000071B0000-0x00000000071BA000-memory.dmp

Filesize
40KB

Download
memory/3436-0-0x0000000000170000-0x0000000000226000-memory.dmp

Filesize
728KB

Download
memory/3436-7-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3436-8-0x0000000007210000-0x0000000007220000-memory.dmp

Filesize
64KB

Download
memory/3436-9-0x0000000007490000-0x00000000074A0000-memory.dmp

Filesize
64KB

Download
memory/3436-10-0x0000000008910000-0x000000000897E000-memory.dmp

Filesize
440KB

Download
memory/3436-11-0x0000000005DC0000-0x0000000005E5C000-memory.dmp

Filesize
624KB

Download
memory/3436-2-0x00000000075C0000-0x0000000007B64000-memory.dmp

Filesize
5.6MB

Download
memory/3436-14-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download
memory/3436-1-0x00000000751E0000-0x0000000075990000-memory.dmp

Filesize
7.7MB

Download