formbook | 0a718870a86c1437e0299f0a1aaeb8f86dfe8af43e4ab56812ad127c56b876dd

Analysis

max time kernel
147s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
25/12/2023, 23:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

449b3fa96d0f05b8e8663fd8472d366d.exe
Size

1.2MB
MD5

449b3fa96d0f05b8e8663fd8472d366d
SHA1

40c2e2aca926851e0100816869d349597c0e7649
SHA256

0a718870a86c1437e0299f0a1aaeb8f86dfe8af43e4ab56812ad127c56b876dd
SHA512

8aca4dd5a5a4084d2eee490aa8456bfe50594e166bf6eccf27a1c7c0b8b60481bfa1a42217445e2b2c61ce52d3482b79c57aa21a30c8d0ee0b9480ed536e6b57
SSDEEP

24576:lYHlCmmeOsBgo0q4wMugVZZOT+QorTkgzx:lVnoHMuY7UoPkgz

Score

10^/10

formbook abns rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

abns

Decoy

velocityengineering.info

kenzkreashunz.com

sinsemillasweets.com

digitalnetworkslocal.com

thegalomedia.com

hbgangrui.com

tomatoslim.com

stackserviceplatform.com

ushemper.com

pj569330.com

onpointbr.com

anamhashim.com

merci-love.com

hashicup.com

sc-tjlm.com

jokysun.com

cfsandcreativity.com

tshirtmogul.net

emc-biotec.com

gifterias.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/508-8-0x0000000002D00000-0x0000000002D12000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2640-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 508 set thread context of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
508	449b3fa96d0f05b8e8663fd8472d366d.exe
508	449b3fa96d0f05b8e8663fd8472d366d.exe
2640	449b3fa96d0f05b8e8663fd8472d366d.exe
2640	449b3fa96d0f05b8e8663fd8472d366d.exe
2640	449b3fa96d0f05b8e8663fd8472d366d.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	508	449b3fa96d0f05b8e8663fd8472d366d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 508 wrote to memory of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102
PID 508 wrote to memory of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102
PID 508 wrote to memory of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102
PID 508 wrote to memory of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102
PID 508 wrote to memory of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102
PID 508 wrote to memory of 2640	508	449b3fa96d0f05b8e8663fd8472d366d.exe	102

C:\Users\Admin\AppData\Local\Temp\449b3fa96d0f05b8e8663fd8472d366d.exe
"C:\Users\Admin\AppData\Local\Temp\449b3fa96d0f05b8e8663fd8472d366d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:508
- C:\Users\Admin\AppData\Local\Temp\449b3fa96d0f05b8e8663fd8472d366d.exe
  "C:\Users\Admin\AppData\Local\Temp\449b3fa96d0f05b8e8663fd8472d366d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/508-2-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/508-3-0x0000000005AE0000-0x0000000006084000-memory.dmp

Filesize
5.6MB

Download
memory/508-4-0x00000000055D0000-0x0000000005662000-memory.dmp

Filesize
584KB

Download
memory/508-1-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/508-5-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/508-7-0x0000000005760000-0x00000000057B6000-memory.dmp

Filesize
344KB

Download
memory/508-6-0x0000000005550000-0x000000000555A000-memory.dmp

Filesize
40KB

Download
memory/508-0-0x0000000000970000-0x0000000000AA8000-memory.dmp

Filesize
1.2MB

Download
memory/508-8-0x0000000002D00000-0x0000000002D12000-memory.dmp

Filesize
72KB

Download
memory/508-9-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/508-10-0x00000000057D0000-0x00000000057E0000-memory.dmp

Filesize
64KB

Download
memory/508-11-0x0000000006E90000-0x0000000006F0C000-memory.dmp

Filesize
496KB

Download
memory/508-12-0x0000000006BD0000-0x0000000006C04000-memory.dmp

Filesize
208KB

Download
memory/508-15-0x0000000074DD0000-0x0000000075580000-memory.dmp

Filesize
7.7MB

Download
memory/2640-16-0x0000000001810000-0x0000000001B5A000-memory.dmp

Filesize
3.3MB

Download
memory/2640-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download