formbook | 3068-12-0x0000000000400000-0x000000000042F000-memory[.]dmp

General

Target

3068-12-0x0000000000400000-0x000000000042F000-memory.dmp
Size

188KB
MD5

c895acd6a7294bdc25ae10f5ad089795
SHA1

55f2ab07e6d62130ac039c1078058d2ebf9c1610
SHA256

d14ab681fd543647bc745e2f4698ef4277ef92462a33e7f9c6f73888e6792249
SHA512

22e27f145b98c1c8d6b0fc2a66c8cf682e62331fc67eb973f261cc66825c914cf8f25db0e357e60bcb48df5db46372168181abff3dc3abe893fb85b352767618
SSDEEP

3072:/nkskIT0SOk4V38fUDBGLq7lqQoEuioZrs/5kanQvYipiDbW7USBNs8:p7458MDTlqQoEujW57PqimBS8

Score

10^/10

rat go95 formbook

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

go95

Decoy

shellveil.com

digitaldame.shop

gsqjrl.top

freitasfamilylaw.com

alliancetransportllc.com

connecthospitality.work

awwaloon.com

fomohour.xyz

sjapkhuf.top

designmcraft.com

travelguidanceer.pro

vejashoessuomi.com

smallsipsteel.com

hallowedhavenstudios.com

bestonsports.com

touxiong53a.com

azgskyhvz4.top

strategicroulette.com

69farma.com

cosmosoftventures.com

Signatures

Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
sample	formbook

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
3068-12-0x0000000000400000-0x000000000042F000-memory.dmp

Files

3068-12-0x0000000000400000-0x000000000042F000-memory.dmp
.exe windows:5 windows x86

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE

Sections

.text
Size: 180KB - Virtual size: 180KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Extracted

Signatures

Files

Headers

DLL Characteristics

File Characteristics

Sections

.text Size: 180KB - Virtual size: 180KB

.text
Size: 180KB - Virtual size: 180KB