formbook | 9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504fe

Analysis

max time kernel
143s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
23/10/2023, 17:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe
Size

575KB
MD5

c1feb44ae338eb00dbe923fd56d5a18a
SHA1

26e1bc57820890dff65966d74f66019403fadcdd
SHA256

9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504fe
SHA512

fff511f1e1031adfc3cd9457298ff5e1ef16201200b6ad1a769331a3d915a18ced09d82b32e3fd3f2e8556a5f85fab5d04a2114349a09850a72325b4fbddcc82
SSDEEP

12288:E/jNu5VoGUpQCYaSm2KuJPkoF+KUr94xsJwQZG588YrX10/4:ELNu5Vo2CYaRBuJPkoUpp4s85

Score

10^/10

formbook k0p2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k0p2

Decoy

theluxurytraveljournal.com

skybet10.com

mountruqal.online

onlyones.xyz

kloea.top

studio7crochet.online

dhv9gmy.top

walkereld.com

script-shore.com

bwerger02.xyz

clempi.xyz

lishapanchal.com

imagemaza.com

ludu65.com

zenith-leadership.com

undertheradar.zone

802cm.top

budeny.com

piabellacasino338.com

eclipse-demolition.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1404-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4260 set thread context of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1404	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe
1404	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92
PID 4260 wrote to memory of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92
PID 4260 wrote to memory of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92
PID 4260 wrote to memory of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92
PID 4260 wrote to memory of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92
PID 4260 wrote to memory of 1404	4260	NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe	92

C:\Users\Admin\AppData\Local\Temp\NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe
"C:\Users\Admin\AppData\Local\Temp\NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Users\Admin\AppData\Local\Temp\NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\NEAS.9d507d3f7b58d898ff10eb7443b6feb32ea2ea6972d3ceafa67e2e0a1d0504feexe_JC.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1404

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1404-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1404-15-0x0000000001690000-0x00000000019DA000-memory.dmp

Filesize
3.3MB

Download
memory/4260-6-0x0000000005BE0000-0x0000000005C7C000-memory.dmp

Filesize
624KB

Download
memory/4260-3-0x00000000058F0000-0x0000000005982000-memory.dmp

Filesize
584KB

Download
memory/4260-4-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/4260-5-0x00000000059A0000-0x00000000059AA000-memory.dmp

Filesize
40KB

Download
memory/4260-0-0x0000000000E70000-0x0000000000F06000-memory.dmp

Filesize
600KB

Download
memory/4260-7-0x0000000005C80000-0x0000000005C98000-memory.dmp

Filesize
96KB

Download
memory/4260-8-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4260-9-0x0000000005A40000-0x0000000005A50000-memory.dmp

Filesize
64KB

Download
memory/4260-10-0x0000000005CA0000-0x0000000005CB0000-memory.dmp

Filesize
64KB

Download
memory/4260-11-0x0000000007230000-0x000000000729E000-memory.dmp

Filesize
440KB

Download
memory/4260-2-0x0000000005DC0000-0x0000000006364000-memory.dmp

Filesize
5.6MB

Download
memory/4260-14-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download
memory/4260-1-0x0000000074580000-0x0000000074D30000-memory.dmp

Filesize
7.7MB

Download