formbook | c78b8b110d575fc2ec594bbc1731b361cc17342ebdb29bb03df1d87d9342eac9

Analysis

max time kernel
93s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
24/12/2023, 23:17

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

18d55e644d97c47a387dbe93e74a41ca.exe
Size

1.1MB
MD5

18d55e644d97c47a387dbe93e74a41ca
SHA1

34a88212b920a763cde05ba5e3e28b168f89cd55
SHA256

c78b8b110d575fc2ec594bbc1731b361cc17342ebdb29bb03df1d87d9342eac9
SHA512

187f13a1f60ed0b77a041f0c20157189be3d9fed13271d69eebfe85a46129659beae51808124599f2028ee51136d35f9f10eb15b8814d69842c40c18bc6584d2
SSDEEP

12288:Wej3xCGRiOQKL4PHCpG86IEGbHYhA+LUc1P+X4dBJGF7ldUdgl12nt+EW1:vj34Rh0HYhh4c1P+wB8tImH2t+EW1

Score

10^/10

formbook jdkn rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jdkn

Decoy

salkblend.com

theourworld.foundation

microsoftofficeweb.com

7mi3.com

eltoncastee.com

threeingredientcocktails.com

vibecity.online

moka-s.com

mezo-meats.com

goldbarrbrand.com

pildoreando.com

pbqjm.com

xiaoshuhr.com

gaythemedfilm.club

fuckedupforpay.com

realengolife.com

vstarnailsandspa.com

bodurm.com

alphaden.club

sanatanies.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/4772-8-0x00000000056B0000-0x00000000056C2000-memory.dmp	CustAttr

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/4368-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral2/memory/4368-17-0x00000000017E0000-0x0000000001B2A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4772 set thread context of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4368	18d55e644d97c47a387dbe93e74a41ca.exe
4368	18d55e644d97c47a387dbe93e74a41ca.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4772 wrote to memory of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96
PID 4772 wrote to memory of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96
PID 4772 wrote to memory of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96
PID 4772 wrote to memory of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96
PID 4772 wrote to memory of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96
PID 4772 wrote to memory of 4368	4772	18d55e644d97c47a387dbe93e74a41ca.exe	96

C:\Users\Admin\AppData\Local\Temp\18d55e644d97c47a387dbe93e74a41ca.exe
"C:\Users\Admin\AppData\Local\Temp\18d55e644d97c47a387dbe93e74a41ca.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4772
- C:\Users\Admin\AppData\Local\Temp\18d55e644d97c47a387dbe93e74a41ca.exe
  "C:\Users\Admin\AppData\Local\Temp\18d55e644d97c47a387dbe93e74a41ca.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4368-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4368-17-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/4368-16-0x00000000017E0000-0x0000000001B2A000-memory.dmp

Filesize
3.3MB

Download
memory/4772-8-0x00000000056B0000-0x00000000056C2000-memory.dmp

Filesize
72KB

Download
memory/4772-10-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4772-5-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4772-6-0x0000000005050000-0x000000000505A000-memory.dmp

Filesize
40KB

Download
memory/4772-7-0x0000000005360000-0x00000000053B6000-memory.dmp

Filesize
344KB

Download
memory/4772-2-0x0000000005080000-0x000000000511C000-memory.dmp

Filesize
624KB

Download
memory/4772-9-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4772-3-0x00000000056D0000-0x0000000005C74000-memory.dmp

Filesize
5.6MB

Download
memory/4772-11-0x0000000006AA0000-0x0000000006B20000-memory.dmp

Filesize
512KB

Download
memory/4772-12-0x0000000006B30000-0x0000000006B68000-memory.dmp

Filesize
224KB

Download
memory/4772-4-0x0000000005120000-0x00000000051B2000-memory.dmp

Filesize
584KB

Download
memory/4772-0-0x0000000000540000-0x0000000000660000-memory.dmp

Filesize
1.1MB

Download
memory/4772-15-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download
memory/4772-1-0x00000000746A0000-0x0000000074E50000-memory.dmp

Filesize
7.7MB

Download