formbook | c9c2270688cf2f657dc16c1399cfbebadb1ae1d9a14c575a8f0c9d4c1ee3f38d

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
25-12-2023 22:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

410f4617026b9c0bc7296999d4028a86.exe
Size

1.3MB
MD5

410f4617026b9c0bc7296999d4028a86
SHA1

6f558885e1901d89a067619c5e46e642fdd29a7c
SHA256

c9c2270688cf2f657dc16c1399cfbebadb1ae1d9a14c575a8f0c9d4c1ee3f38d
SHA512

09cb0893935fbd733f40d86fc76420cc7292758887e8f1e37e01eb032741bb94394158cdfda9ac7142c24f39c2c79ea405cd921f02d94f712eac623117c853d9
SSDEEP

24576:2RS/d3NKzksGkszrBpGSDTZSK2Z/dgrBEvqQy8jhMN6ZNZZ:TKYlnTZSK2ZSS3CN6ZNZ

Score

10^/10

formbook rh0s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rh0s

Decoy

operatethekitchen.com

albaturkvatifbank.com

buzduganjr.com

binnsmotorinn.com

slotz789.com

bbwelldrilling.com

ldygqr.com

copyrightrules-ig.com

grabnsnatch.net

snowboardworldcup2009.com

mkstarz.com

flattoplakehomesforsale.com

tradinglife123.net

cafearabicanj.com

thekozow.com

wii2review26.club

youcanpassusmle.com

tydevelops.com

fashionwatchesstore.com

peeleasubo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/936-3-0x0000000000260000-0x0000000000272000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2576-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 936 set thread context of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2576	410f4617026b9c0bc7296999d4028a86.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30
PID 936 wrote to memory of 2576	936	410f4617026b9c0bc7296999d4028a86.exe	30

C:\Users\Admin\AppData\Local\Temp\410f4617026b9c0bc7296999d4028a86.exe
"C:\Users\Admin\AppData\Local\Temp\410f4617026b9c0bc7296999d4028a86.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:936
- C:\Users\Admin\AppData\Local\Temp\410f4617026b9c0bc7296999d4028a86.exe
  "C:\Users\Admin\AppData\Local\Temp\410f4617026b9c0bc7296999d4028a86.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/936-6-0x00000000057A0000-0x0000000005842000-memory.dmp

Filesize
648KB

Download
memory/936-0-0x0000000000AB0000-0x0000000000BFA000-memory.dmp

Filesize
1.3MB

Download
memory/936-2-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/936-3-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/936-4-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/936-5-0x0000000004EB0000-0x0000000004EF0000-memory.dmp

Filesize
256KB

Download
memory/936-1-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/936-7-0x0000000000500000-0x0000000000534000-memory.dmp

Filesize
208KB

Download
memory/936-13-0x0000000074A10000-0x00000000750FE000-memory.dmp

Filesize
6.9MB

Download
memory/2576-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2576-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2576-14-0x0000000000C00000-0x0000000000F03000-memory.dmp

Filesize
3.0MB

Download