formbook | e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
12/10/2023, 13:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

47ea784b5aa582da550a12add7ccd74d.exe
Size

588KB
MD5

47ea784b5aa582da550a12add7ccd74d
SHA1

5b6ae1d9193def3a895b102bc8340120bd5b8ea5
SHA256

e3adb8e74cd21839185ef70b6430c229a34636536412afc08bfbf1b8a610b359
SHA512

b4be253005f12497d76c320d14e3a9efc8632fe381baf6e1ff7aef6de5d4dc963fbfc83a944ce1f99939d3e7626ee0fb47d6b0687041d54b0b4e2e1ebd86306e
SSDEEP

12288:12iNMyiRJU/WcGzm+ELUGomnz95ZaYXsWcB69OFv6GezldNxbfvoRRDEtBA:11FFe+tYGJnz95ZaYXmB6k6hBnxzgTDV

Score

10^/10

formbook o5gu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o5gu

Decoy

jonathanvuportfolio.website

moneyboost.net

imikecutyou.com

toollessassembling.com

keoinfra.com

mackenziejamesphoto.com

zenovaa.com

ngmnetwork.com

odropoficial.com

huyangli.company

ganjajuice.info

promptmechanic.xyz

crispyjoy.com

dinevintageshirts.com

heyxop.online

hopefinancialmarketingph.com

weeklyvolcano.app

consultoriopmn.com

seetheratequote.com

ftds77.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2624-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1448 set thread context of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2624	47ea784b5aa582da550a12add7ccd74d.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30
PID 1448 wrote to memory of 2624	1448	47ea784b5aa582da550a12add7ccd74d.exe	30

C:\Users\Admin\AppData\Local\Temp\47ea784b5aa582da550a12add7ccd74d.exe
"C:\Users\Admin\AppData\Local\Temp\47ea784b5aa582da550a12add7ccd74d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\47ea784b5aa582da550a12add7ccd74d.exe
  "C:\Users\Admin\AppData\Local\Temp\47ea784b5aa582da550a12add7ccd74d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2624

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1448-6-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/1448-13-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-2-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1448-3-0x0000000000480000-0x000000000049A000-memory.dmp

Filesize
104KB

Download
memory/1448-4-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/1448-5-0x0000000004C60000-0x0000000004CA0000-memory.dmp

Filesize
256KB

Download
memory/1448-7-0x0000000004EA0000-0x0000000004F0E000-memory.dmp

Filesize
440KB

Download
memory/1448-0-0x0000000000A30000-0x0000000000ACA000-memory.dmp

Filesize
616KB

Download
memory/1448-1-0x0000000074300000-0x00000000749EE000-memory.dmp

Filesize
6.9MB

Download
memory/2624-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2624-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2624-14-0x0000000000AD0000-0x0000000000DD3000-memory.dmp

Filesize
3.0MB

Download