formbook | af9c6b565169b1ebec9e788bd3e4a3db7afae10348c06dd239602ccaea9ffb73

Analysis

max time kernel
150s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
12/01/2024, 00:00

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

54f044ac2f6763dff567801cbb8276c6.exe
Size

358KB
MD5

54f044ac2f6763dff567801cbb8276c6
SHA1

623007ae021213e7e8f44b3fb89e9363b0f3e675
SHA256

af9c6b565169b1ebec9e788bd3e4a3db7afae10348c06dd239602ccaea9ffb73
SHA512

a9e84bc78b6a1752a3761f10a9e4025802c033ff777a565b0fdd2069c2b7b566d2d56fb5df96eb832f16ab7eb9228dad9c9f4b90fcfdefd763fb062889af50d7
SSDEEP

6144:Cx19xfRz9RzGhN7NLcaI3d4qRo1q0cX2Jje3gsn/2Js3kbC3NDiRzXgbhrUU5OPz:Cx1fFTGjRLca8d1G1q0Dgwsn/as3kW9W

Score

10^/10

formbook bd2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

bd2

Decoy

coffeeflyer.com

joy-cars.com

excp0st.com

pancakesandprotein.com

teenboys.info

theperfectgiftshop.net

maomao2017.com

musiclabtacoma.com

taskrit.com

pthjxx.com

114man.com

worldsjsj.com

rjpmuztrygwn.online

casinotoponlineplay.technology

tm88z.com

navnoorkang.com

lazydogkennels.net

yisilv.com

usasubels.com

desperatehouse-lives.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4376-3-0x0000000000400000-0x000000000042A000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3732 set thread context of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4376	54f044ac2f6763dff567801cbb8276c6.exe
4376	54f044ac2f6763dff567801cbb8276c6.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3732 wrote to memory of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90
PID 3732 wrote to memory of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90
PID 3732 wrote to memory of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90
PID 3732 wrote to memory of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90
PID 3732 wrote to memory of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90
PID 3732 wrote to memory of 4376	3732	54f044ac2f6763dff567801cbb8276c6.exe	90

C:\Users\Admin\AppData\Local\Temp\54f044ac2f6763dff567801cbb8276c6.exe
"C:\Users\Admin\AppData\Local\Temp\54f044ac2f6763dff567801cbb8276c6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3732
- C:\Users\Admin\AppData\Local\Temp\54f044ac2f6763dff567801cbb8276c6.exe
  "{path}"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3732-0-0x00000000751C0000-0x0000000075771000-memory.dmp

Filesize
5.7MB

Download
memory/3732-2-0x0000000000D80000-0x0000000000D90000-memory.dmp

Filesize
64KB

Download
memory/3732-1-0x00000000751C0000-0x0000000075771000-memory.dmp

Filesize
5.7MB

Download
memory/3732-5-0x00000000751C0000-0x0000000075771000-memory.dmp

Filesize
5.7MB

Download
memory/4376-3-0x0000000000400000-0x000000000042A000-memory.dmp

Filesize
168KB

Download
memory/4376-6-0x0000000001940000-0x0000000001C8A000-memory.dmp

Filesize
3.3MB

Download