formbook | 0900fb79f837569ff852f6ed371c42e4a4c7f4b39ca68913a53108cc86fb98b9

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/12/2023, 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

070989d8cda0d6a7c06bef08e202e65f.exe
Size

1.1MB
MD5

070989d8cda0d6a7c06bef08e202e65f
SHA1

55f401ece369ead31ab4bcddabd27dda579034fb
SHA256

0900fb79f837569ff852f6ed371c42e4a4c7f4b39ca68913a53108cc86fb98b9
SHA512

1fab3030e2f2ff05bc681a593c788e16201ce779baa2420c0d469cf1cbcdb9e46d916104890ccaf7a66d4b3f9693ed6e3550e38ce4486591b374a162156a98b0
SSDEEP

24576:MhBmZH5/darK64JWe+fhD3noq5RZq/IL:MLKKK64Jkfh7noqXZ8

Score

10^/10

formbook k2m6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k2m6

Decoy

olamenfox.com

sisuidrottmassage.info

de-mayoreo.com

jpmorgancoin.online

gorkasantosarquitectura.com

musicandsound.pro

sarahprworldwide.com

mediclaim.store

chipnoodle.com

creditccu.com

glowyfryzjerskie.com

spoutte.com

cinemaflix.download

tahviehsafir.com

wandabooks.com

crossbowbroadhead.com

kn3257pkty.site

gigabytebd.com

hotel-alameda-zarautz.com

meguina.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/3744-8-0x0000000005430000-0x0000000005442000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2240-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3744 set thread context of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102

Suspicious behavior: EnumeratesProcesses 5 IoCs

pid	Process
3744	070989d8cda0d6a7c06bef08e202e65f.exe
3744	070989d8cda0d6a7c06bef08e202e65f.exe
2240	070989d8cda0d6a7c06bef08e202e65f.exe
2240	070989d8cda0d6a7c06bef08e202e65f.exe
2240	070989d8cda0d6a7c06bef08e202e65f.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3744	070989d8cda0d6a7c06bef08e202e65f.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3744 wrote to memory of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102
PID 3744 wrote to memory of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102
PID 3744 wrote to memory of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102
PID 3744 wrote to memory of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102
PID 3744 wrote to memory of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102
PID 3744 wrote to memory of 2240	3744	070989d8cda0d6a7c06bef08e202e65f.exe	102

C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe
"C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744
- C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe
  "C:\Users\Admin\AppData\Local\Temp\070989d8cda0d6a7c06bef08e202e65f.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2240-16-0x00000000013E0000-0x000000000172A000-memory.dmp

Filesize
3.3MB

Download
memory/2240-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3744-8-0x0000000005430000-0x0000000005442000-memory.dmp

Filesize
72KB

Download
memory/3744-9-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-6-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

Filesize
40KB

Download
memory/3744-3-0x0000000005480000-0x0000000005A24000-memory.dmp

Filesize
5.6MB

Download
memory/3744-1-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-0-0x0000000000330000-0x0000000000448000-memory.dmp

Filesize
1.1MB

Download
memory/3744-2-0x0000000004E30000-0x0000000004ECC000-memory.dmp

Filesize
624KB

Download
memory/3744-7-0x0000000005100000-0x0000000005156000-memory.dmp

Filesize
344KB

Download
memory/3744-10-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3744-12-0x0000000006840000-0x0000000006874000-memory.dmp

Filesize
208KB

Download
memory/3744-11-0x0000000006790000-0x000000000680C000-memory.dmp

Filesize
496KB

Download
memory/3744-15-0x0000000074DF0000-0x00000000755A0000-memory.dmp

Filesize
7.7MB

Download
memory/3744-5-0x0000000004DE0000-0x0000000004DF0000-memory.dmp

Filesize
64KB

Download
memory/3744-4-0x0000000004F70000-0x0000000005002000-memory.dmp

Filesize
584KB

Download