formbook | 657bd12172568c696ae02af0948808a0f9ab30d77ed199abd0f3bdf08f5d0513

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
11/01/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53ab34043d225c7fca168ad1a7df31a8.exe
Size

1.3MB
MD5

53ab34043d225c7fca168ad1a7df31a8
SHA1

d65e76d0c79ac6270d3136af438bc36a69c7efc2
SHA256

657bd12172568c696ae02af0948808a0f9ab30d77ed199abd0f3bdf08f5d0513
SHA512

4a8e212fad1cb4047b83ec70f37cc136143341fb1c14cd6cd0908c7ded887acf65135a1adc105529ebee1fe239dbfb70fd3c999c7210693af989208a27328b82
SSDEEP

24576:Hg4fV76DOqfx8Dgyfx8Dg7qWpA2jPjvVpVbErWG1mwDZffL:pV76b58Dgy58Dg71A2jPjtrbtG7ZX

Score

10^/10

formbook amb6 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

amb6

Decoy

segurocars.com

rylautosales.com

xinglinjiankang.com

dantil-brand.com

sofaloffa.club

coinclub2.com

ez-pens.com

gqtlqsw.com

robotnewswire.com

ktproductreviews.com

merchbrander.com

yesonamendmentb.com

losgatoslimos.com

kristincole.art

metalmaids.online

leftcoastmodels.com

athetheist.com

jblbusrtingsale.com

chungcugiarehcm.com

renblockchain.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3084-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 5048 set thread context of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3084	53ab34043d225c7fca168ad1a7df31a8.exe
3084	53ab34043d225c7fca168ad1a7df31a8.exe
3084	53ab34043d225c7fca168ad1a7df31a8.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5048 wrote to memory of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102
PID 5048 wrote to memory of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102
PID 5048 wrote to memory of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102
PID 5048 wrote to memory of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102
PID 5048 wrote to memory of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102
PID 5048 wrote to memory of 3084	5048	53ab34043d225c7fca168ad1a7df31a8.exe	102

C:\Users\Admin\AppData\Local\Temp\53ab34043d225c7fca168ad1a7df31a8.exe
"C:\Users\Admin\AppData\Local\Temp\53ab34043d225c7fca168ad1a7df31a8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5048
- C:\Users\Admin\AppData\Local\Temp\53ab34043d225c7fca168ad1a7df31a8.exe
  "C:\Users\Admin\AppData\Local\Temp\53ab34043d225c7fca168ad1a7df31a8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3084

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3084-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3084-16-0x0000000000F30000-0x000000000127A000-memory.dmp

Filesize
3.3MB

Download
memory/3084-15-0x0000000000F30000-0x000000000127A000-memory.dmp

Filesize
3.3MB

Download
memory/5048-4-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/5048-0-0x0000000000840000-0x000000000098E000-memory.dmp

Filesize
1.3MB

Download
memory/5048-6-0x00000000055E0000-0x000000000567C000-memory.dmp

Filesize
624KB

Download
memory/5048-5-0x0000000005240000-0x000000000524A000-memory.dmp

Filesize
40KB

Download
memory/5048-7-0x0000000004C30000-0x0000000004C42000-memory.dmp

Filesize
72KB

Download
memory/5048-8-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/5048-9-0x00000000051B0000-0x00000000051C0000-memory.dmp

Filesize
64KB

Download
memory/5048-10-0x0000000005780000-0x0000000005822000-memory.dmp

Filesize
648KB

Download
memory/5048-11-0x0000000007020000-0x0000000007054000-memory.dmp

Filesize
208KB

Download
memory/5048-2-0x0000000005870000-0x0000000005E14000-memory.dmp

Filesize
5.6MB

Download
memory/5048-14-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download
memory/5048-3-0x00000000052C0000-0x0000000005352000-memory.dmp

Filesize
584KB

Download
memory/5048-1-0x0000000074990000-0x0000000075140000-memory.dmp

Filesize
7.7MB

Download