formbook | 88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8

Analysis

max time kernel
126s
max time network
137s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
01-11-2023 05:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe
Size

744KB
MD5

5c09000c1e5da74778d77be881f87810
SHA1

dcf203cbe2ad9ed6e588c708a5819a3c9c98b660
SHA256

88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8
SHA512

30ee1863ee28ab4a638cf5fd09466edeb2a62047e7d51b5b841a1b41f0209bcf40fd5231dd13ac6526bf0c14b1c72585a5cb67a6c273b9209c7ecbc2488b21fc
SSDEEP

12288:sboaxr4plPNelaqHFsQe2WzKr/BnGzsIQTLsjT7zkTcAoPFOA0TOdYqWOEnOEuVe:WMl8laAFsQ7r/BSsIQTCT7zkT6qadFW7

Score

10^/10

formbook 4hc5 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

4hc5

Decoy

amandaastburyillustration.com

7141999.com

showshoe.info

sagemarlin.com

lithuaniandreamtime.com

therenixgroupllc.com

avalialooks.shop

vurporn.com

lemmy.systems

2816goldfinch.com

pacersun.com

checktrace.com

loadtransfer.site

matsuri-jujutsukaisen.com

iontrapper.science

5108010.com

beidixi.com

21305599.com

peakvitality.fitness

osisfeelingfee.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/5068-13-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1880 set thread context of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5068	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe
5068	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71
PID 1880 wrote to memory of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71
PID 1880 wrote to memory of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71
PID 1880 wrote to memory of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71
PID 1880 wrote to memory of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71
PID 1880 wrote to memory of 5068	1880	88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe	71

C:\Users\Admin\AppData\Local\Temp\88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe
"C:\Users\Admin\AppData\Local\Temp\88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Users\Admin\AppData\Local\Temp\88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe
  "C:\Users\Admin\AppData\Local\Temp\88558ffe27726373b0cb9ce9a5d612ab009a1693487e366a32c55ec16e5b8ab8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-8-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/1880-6-0x0000000005E50000-0x0000000005E60000-memory.dmp

Filesize
64KB

Download
memory/1880-2-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/1880-3-0x0000000004980000-0x0000000004A12000-memory.dmp

Filesize
584KB

Download
memory/1880-0-0x0000000000030000-0x00000000000F0000-memory.dmp

Filesize
768KB

Download
memory/1880-5-0x0000000004950000-0x000000000495A000-memory.dmp

Filesize
40KB

Download
memory/1880-1-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-7-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/1880-4-0x0000000004930000-0x0000000004940000-memory.dmp

Filesize
64KB

Download
memory/1880-9-0x0000000005F70000-0x0000000005F76000-memory.dmp

Filesize
24KB

Download
memory/1880-10-0x0000000005F80000-0x0000000005F8A000-memory.dmp

Filesize
40KB

Download
memory/1880-11-0x0000000006020000-0x00000000060B0000-memory.dmp

Filesize
576KB

Download
memory/1880-12-0x00000000087E0000-0x000000000887C000-memory.dmp

Filesize
624KB

Download
memory/1880-15-0x0000000073190000-0x000000007387E000-memory.dmp

Filesize
6.9MB

Download
memory/5068-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/5068-16-0x00000000013E0000-0x0000000001700000-memory.dmp

Filesize
3.1MB

Download