formbook | 6a778cbfb34a637265c39ae5a0a321010998d93fb7183b4e8766a4a2390bf72f

Analysis

max time kernel
178s
max time network
202s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2023 12:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8fa85ce4b25441a6e45dd6c74cb79670.exe
Size

749KB
MD5

8fa85ce4b25441a6e45dd6c74cb79670
SHA1

1b5ce8ebb1074d89dead6ed83e7c8d6d77a8971f
SHA256

6a778cbfb34a637265c39ae5a0a321010998d93fb7183b4e8766a4a2390bf72f
SHA512

31c726a677f25ef0dbb688d0b778d527661fda5208da8bd3cb11fc971536b8b2e18ccdeea4008956515a6fd6c1f6d1999884a754e51fc696b5540dbf1c2ec5be
SSDEEP

12288:lgO3+VUPObK1Cnf2VtYLrlz1+e+AWQDXNXvjR/zk8iWNEQiEKwB:tHwlLWkXNBk8iWNAi

Score

10^/10

formbook ergs rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ergs

Decoy

jardineriavilanova.com

highkeyfashionboutique.com

willingtobuyyourhouse.com

ysfno.com

bjkhjzzs.com

hexmotif.com

intentionalerror.com

nuu-foundfreedom.com

catalystspeechservices.com

blackmybail.com

xntaobaozhibo.com

site-sozdat.online

45quisisanadr.com

ipawlove.com

yifa5188.com

admm.email

houseoftealbh.com

scale-biz.com

vdvppt.club

loveandlight.life

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2516-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

8fa85ce4b25441a6e45dd6c74cb79670.exe

description pid process target process

PID 4868 set thread context of 2516 4868 8fa85ce4b25441a6e45dd6c74cb79670.exe 8fa85ce4b25441a6e45dd6c74cb79670.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8fa85ce4b25441a6e45dd6c74cb79670.exe

pid process

2516 8fa85ce4b25441a6e45dd6c74cb79670.exe
2516 8fa85ce4b25441a6e45dd6c74cb79670.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

8fa85ce4b25441a6e45dd6c74cb79670.exe

pid process

4868 8fa85ce4b25441a6e45dd6c74cb79670.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

8fa85ce4b25441a6e45dd6c74cb79670.exe

pid process

4868 8fa85ce4b25441a6e45dd6c74cb79670.exe

description	pid	process	target process
PID 4868 set thread context of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe

pid	process
2516	8fa85ce4b25441a6e45dd6c74cb79670.exe
2516	8fa85ce4b25441a6e45dd6c74cb79670.exe

pid	process
4868	8fa85ce4b25441a6e45dd6c74cb79670.exe

pid	process
4868	8fa85ce4b25441a6e45dd6c74cb79670.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8fa85ce4b25441a6e45dd6c74cb79670.exe

description	pid	process	target process
PID 4868 wrote to memory of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe
PID 4868 wrote to memory of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe
PID 4868 wrote to memory of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe
PID 4868 wrote to memory of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe
PID 4868 wrote to memory of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe
PID 4868 wrote to memory of 2516	4868	8fa85ce4b25441a6e45dd6c74cb79670.exe	8fa85ce4b25441a6e45dd6c74cb79670.exe

C:\Users\Admin\AppData\Local\Temp\8fa85ce4b25441a6e45dd6c74cb79670.exe
"C:\Users\Admin\AppData\Local\Temp\8fa85ce4b25441a6e45dd6c74cb79670.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4868

C:\Users\Admin\AppData\Local\Temp\8fa85ce4b25441a6e45dd6c74cb79670.exe
"C:\Users\Admin\AppData\Local\Temp\8fa85ce4b25441a6e45dd6c74cb79670.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2516-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2516-15-0x0000000000F60000-0x00000000012AA000-memory.dmp

Filesize
3.3MB

Download
memory/4868-6-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4868-3-0x0000000005620000-0x00000000056B2000-memory.dmp

Filesize
584KB

Download
memory/4868-4-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4868-5-0x00000000056E0000-0x00000000056EA000-memory.dmp

Filesize
40KB

Download
memory/4868-1-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4868-7-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/4868-8-0x0000000008400000-0x000000000849C000-memory.dmp

Filesize
624KB

Download
memory/4868-9-0x0000000008360000-0x000000000837C000-memory.dmp

Filesize
112KB

Download
memory/4868-10-0x0000000001530000-0x0000000001598000-memory.dmp

Filesize
416KB

Download
memory/4868-11-0x0000000001600000-0x0000000001634000-memory.dmp

Filesize
208KB

Download
memory/4868-2-0x0000000005AF0000-0x0000000006094000-memory.dmp

Filesize
5.6MB

Download
memory/4868-14-0x0000000074470000-0x0000000074C20000-memory.dmp

Filesize
7.7MB

Download
memory/4868-0-0x0000000000B70000-0x0000000000C32000-memory.dmp

Filesize
776KB

Download