formbook | 3864b3a157ece572eabb6d56e50d577d0993fc7150bb5046e26e4fdc6bdf3c76

Analysis

max time kernel
160s
max time network
176s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
01/01/2024, 19:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3daaa20ac455b9586113cba234ae3153.exe
Size

681KB
MD5

3daaa20ac455b9586113cba234ae3153
SHA1

d2972fb3c632473eb22f353755e0f31f999532b7
SHA256

3864b3a157ece572eabb6d56e50d577d0993fc7150bb5046e26e4fdc6bdf3c76
SHA512

9ab0101d42f3b17f7d9f9cc3d7c80167604cc29a309cb374afc47592d25bd054e5c10df52839c10e9b432dd09bea0ed90a6b16b4282c2183d7e845316ace9771
SSDEEP

6144:HBYFJLgGVFjvC+w7Mp5zmeEyK1mlfu7oVMGMLQwNFRKs0ZnnsCJaIUSSLyFpVI:6vVBpnAIutGMnNFR90DaIkepI

Score

10^/10

formbook crg3 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

crg3

Decoy

g-strip.com

mercedestaydo.com

bettypersonalized.com

smithsndvine.com

lrkingdee.com

steigtechnik.club

joyous.world

lockhartsecurity.net

dogpouchy.com

sallysharman.com

moylook.online

safercheckin.com

pinsiteup14.online

infinitytattoocare.com

daiwans1.com

nativress.com

vanessagracebang.xyz

adiguzelboya.net

getiphoneforfree.com

villadelsolguadalupe.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1740-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2808 set thread context of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1740	3daaa20ac455b9586113cba234ae3153.exe
1740	3daaa20ac455b9586113cba234ae3153.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100
PID 2808 wrote to memory of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100
PID 2808 wrote to memory of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100
PID 2808 wrote to memory of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100
PID 2808 wrote to memory of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100
PID 2808 wrote to memory of 1740	2808	3daaa20ac455b9586113cba234ae3153.exe	100

C:\Users\Admin\AppData\Local\Temp\3daaa20ac455b9586113cba234ae3153.exe
"C:\Users\Admin\AppData\Local\Temp\3daaa20ac455b9586113cba234ae3153.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Users\Admin\AppData\Local\Temp\3daaa20ac455b9586113cba234ae3153.exe
  "C:\Users\Admin\AppData\Local\Temp\3daaa20ac455b9586113cba234ae3153.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1740

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1740-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1740-15-0x0000000000FA0000-0x00000000012EA000-memory.dmp

Filesize
3.3MB

Download
memory/2808-6-0x00000000062A0000-0x000000000633C000-memory.dmp

Filesize
624KB

Download
memory/2808-3-0x00000000050A0000-0x0000000005132000-memory.dmp

Filesize
584KB

Download
memory/2808-4-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2808-5-0x0000000005080000-0x000000000508A000-memory.dmp

Filesize
40KB

Download
memory/2808-0-0x00000000005D0000-0x0000000000680000-memory.dmp

Filesize
704KB

Download
memory/2808-7-0x0000000005310000-0x000000000532C000-memory.dmp

Filesize
112KB

Download
memory/2808-8-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2808-9-0x0000000005050000-0x0000000005060000-memory.dmp

Filesize
64KB

Download
memory/2808-10-0x0000000006820000-0x000000000688A000-memory.dmp

Filesize
424KB

Download
memory/2808-11-0x0000000008E40000-0x0000000008E74000-memory.dmp

Filesize
208KB

Download
memory/2808-2-0x0000000005650000-0x0000000005BF4000-memory.dmp

Filesize
5.6MB

Download
memory/2808-14-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download
memory/2808-1-0x0000000074490000-0x0000000074C40000-memory.dmp

Filesize
7.7MB

Download