formbook | 0900fb79f837569ff852f6ed371c42e4a4c7f4b39ca68913a53108cc86fb98b9

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29/12/2023, 23:32

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

070989d8cda0d6a7c06bef08e202e65f.exe
Size

1.1MB
MD5

070989d8cda0d6a7c06bef08e202e65f
SHA1

55f401ece369ead31ab4bcddabd27dda579034fb
SHA256

0900fb79f837569ff852f6ed371c42e4a4c7f4b39ca68913a53108cc86fb98b9
SHA512

1fab3030e2f2ff05bc681a593c788e16201ce779baa2420c0d469cf1cbcdb9e46d916104890ccaf7a66d4b3f9693ed6e3550e38ce4486591b374a162156a98b0
SSDEEP

24576:MhBmZH5/darK64JWe+fhD3noq5RZq/IL:MLKKK64Jkfh7noqXZ8

Score

10^/10

formbook k2m6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2m6

Decoy

olamenfox.com

sisuidrottmassage.info

de-mayoreo.com

jpmorgancoin.online

gorkasantosarquitectura.com

musicandsound.pro

sarahprworldwide.com

mediclaim.store

chipnoodle.com

creditccu.com

glowyfryzjerskie.com

spoutte.com

cinemaflix.download

tahviehsafir.com

wandabooks.com

crossbowbroadhead.com

kn3257pkty.site

gigabytebd.com

hotel-alameda-zarautz.com

meguina.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/1064-3-0x0000000000310000-0x0000000000322000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/1920-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1064 set thread context of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1920	070989d8cda0d6a7c06bef08e202e65f.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30
PID 1064 wrote to memory of 1920	1064	070989d8cda0d6a7c06bef08e202e65f.exe	30

C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe
"C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1064
- C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe
  "C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1920

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1064-6-0x0000000005650000-0x00000000056CC000-memory.dmp

Filesize
496KB

Download
memory/1064-13-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1064-2-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1064-3-0x0000000000310000-0x0000000000322000-memory.dmp

Filesize
72KB

Download
memory/1064-4-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1064-5-0x0000000004E50000-0x0000000004E90000-memory.dmp

Filesize
256KB

Download
memory/1064-7-0x0000000000530000-0x0000000000564000-memory.dmp

Filesize
208KB

Download
memory/1064-0-0x0000000000910000-0x0000000000A28000-memory.dmp

Filesize
1.1MB

Download
memory/1064-1-0x0000000074C50000-0x000000007533E000-memory.dmp

Filesize
6.9MB

Download
memory/1920-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1920-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1920-14-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download