formbook | 024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5

Analysis

max time kernel
128s
max time network
137s
platform
windows10-1703_x64
resource
win10-20231020-en
resource tags

arch:x64arch:x86image:win10-20231020-enlocale:en-usos:windows10-1703-x64system
submitted
03/11/2023, 02:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe
Size

550KB
MD5

6981fc2102b4a2e0f959b202df182f8a
SHA1

9d4ec84685c8fe4fdceaff7aaedd69aafef9b3ad
SHA256

024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5
SHA512

af9ce535fb69b0dfe96c5872e8a8191b964ffe9693334ea4943638daadd2984b98bb8f34040de97f0dc99cb7709b9327ef06024b98e8620c1397cbe6fb0c11ec
SSDEEP

12288:hIkqVKSUD29C8S0EoQiJDPDTcqAvMZrjZqJ+OG24MifHit6xn3o:hIkqVQR68iJDP8qHrjX+Nk

Score

10^/10

formbook o6g2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o6g2

Decoy

sdsteelfurnitures.com

rentpropertypalma.com

qysdh1.xyz

cybersecintl.com

gtvcodes.com

furniture-99972.bond

thirteen39designs.com

ibrahimmallouhi.info

gddenggao.icu

padmabsingh.online

familyfarmequipment.com

tailboost.xyz

euel6.xyz

visualduuck.com

paraserviryproteger.homes

fleurandviola.com

hstgaga.com

whacknet.com

rumenaraya.com

fineeastuk.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/828-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3128 set thread context of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
828	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe
828	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3128 wrote to memory of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71
PID 3128 wrote to memory of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71
PID 3128 wrote to memory of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71
PID 3128 wrote to memory of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71
PID 3128 wrote to memory of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71
PID 3128 wrote to memory of 828	3128	024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe	71

C:\Users\Admin\AppData\Local\Temp\024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe
"C:\Users\Admin\AppData\Local\Temp\024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128
- C:\Users\Admin\AppData\Local\Temp\024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe
  "C:\Users\Admin\AppData\Local\Temp\024aa4a117fa7c5952577b1e904510e09c0e048a7bfaf320fcbdb4f309c41ba5.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:828

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/828-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/828-16-0x0000000001160000-0x0000000001480000-memory.dmp

Filesize
3.1MB

Download
memory/828-15-0x0000000001160000-0x0000000001480000-memory.dmp

Filesize
3.1MB

Download
memory/3128-4-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3128-1-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/3128-5-0x0000000005340000-0x000000000534A000-memory.dmp

Filesize
40KB

Download
memory/3128-6-0x00000000053E0000-0x00000000053EE000-memory.dmp

Filesize
56KB

Download
memory/3128-7-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/3128-8-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/3128-9-0x0000000005400000-0x000000000540A000-memory.dmp

Filesize
40KB

Download
memory/3128-10-0x0000000005DB0000-0x0000000005E1E000-memory.dmp

Filesize
440KB

Download
memory/3128-11-0x0000000008370000-0x000000000840C000-memory.dmp

Filesize
624KB

Download
memory/3128-3-0x0000000005250000-0x00000000052E2000-memory.dmp

Filesize
584KB

Download
memory/3128-14-0x00000000734A0000-0x0000000073B8E000-memory.dmp

Filesize
6.9MB

Download
memory/3128-2-0x0000000005750000-0x0000000005C4E000-memory.dmp

Filesize
5.0MB

Download
memory/3128-0-0x00000000007C0000-0x0000000000850000-memory.dmp

Filesize
576KB

Download