formbook | 4c5fd4ed6d7eda044f08d5369dd3ac130ae1e7d2f8415a77ebbc8010e2fe7c11

Analysis

max time kernel
141s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2024, 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5b5276e6117204297cf817fee27e16d4.exe
Size

651KB
MD5

5b5276e6117204297cf817fee27e16d4
SHA1

085f8c31af7217eaa95ddcab32ec8de22f3e93e0
SHA256

4c5fd4ed6d7eda044f08d5369dd3ac130ae1e7d2f8415a77ebbc8010e2fe7c11
SHA512

dbb25c6f0faf121f3d0d23a2c69e16c8463d8b842124b2f5ebb5a8ef037d412ce812d3ec26d4790d771cabf1b68ccae90ae75451a9758ae1eeac7e9eed03733e
SSDEEP

12288:xIGmwPTWN5FyYLX8kQMHbNJYYzTsBJqgh:Gw7WN5Frj2M7NBfy

Score

10^/10

formbook gz92 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gz92

Decoy

ayurvedichealthformulas.com

plazaconstrutora.com

nat-hetong.info

eapdigital.com

ibluebaytvwdshop.com

committable.com

escapesbyek.com

mywebdesigner.pro

jianianhong.com

benvenutoqui.com

beiyet.com

theartofgifs.com

mbwvyksnk.icu

nshahwelfare.com

hhhservice.com

thechaibali.com

travelscreen.expert

best123-movies.com

leiahin.com

runplay11.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4212-11-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3796 set thread context of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3796	5b5276e6117204297cf817fee27e16d4.exe
3796	5b5276e6117204297cf817fee27e16d4.exe
3796	5b5276e6117204297cf817fee27e16d4.exe
3796	5b5276e6117204297cf817fee27e16d4.exe
4212	5b5276e6117204297cf817fee27e16d4.exe
4212	5b5276e6117204297cf817fee27e16d4.exe
4212	5b5276e6117204297cf817fee27e16d4.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3796	5b5276e6117204297cf817fee27e16d4.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3796 wrote to memory of 3472	3796	5b5276e6117204297cf817fee27e16d4.exe	101
PID 3796 wrote to memory of 3472	3796	5b5276e6117204297cf817fee27e16d4.exe	101
PID 3796 wrote to memory of 3472	3796	5b5276e6117204297cf817fee27e16d4.exe	101
PID 3796 wrote to memory of 3444	3796	5b5276e6117204297cf817fee27e16d4.exe	103
PID 3796 wrote to memory of 3444	3796	5b5276e6117204297cf817fee27e16d4.exe	103
PID 3796 wrote to memory of 3444	3796	5b5276e6117204297cf817fee27e16d4.exe	103
PID 3796 wrote to memory of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102
PID 3796 wrote to memory of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102
PID 3796 wrote to memory of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102
PID 3796 wrote to memory of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102
PID 3796 wrote to memory of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102
PID 3796 wrote to memory of 4212	3796	5b5276e6117204297cf817fee27e16d4.exe	102

C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe
"C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3796
- C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe
  "C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe"
  2⤵
  PID:3472
- C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe
  "C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4212
- C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe
  "C:\Users\Admin\AppData\Local\Temp\5b5276e6117204297cf817fee27e16d4.exe"
  2⤵
  PID:3444

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3796-1-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3796-0-0x0000000000320000-0x00000000003CA000-memory.dmp

Filesize
680KB

Download
memory/3796-2-0x0000000005370000-0x0000000005914000-memory.dmp

Filesize
5.6MB

Download
memory/3796-3-0x0000000004E60000-0x0000000004EF2000-memory.dmp

Filesize
584KB

Download
memory/3796-4-0x00000000050D0000-0x00000000050E0000-memory.dmp

Filesize
64KB

Download
memory/3796-5-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/3796-6-0x0000000006530000-0x00000000065CC000-memory.dmp

Filesize
624KB

Download
memory/3796-7-0x0000000004F50000-0x0000000004F6C000-memory.dmp

Filesize
112KB

Download
memory/3796-8-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/3796-9-0x0000000006490000-0x00000000064F6000-memory.dmp

Filesize
408KB

Download
memory/3796-10-0x0000000008B60000-0x0000000008B94000-memory.dmp

Filesize
208KB

Download
memory/3796-13-0x0000000074D30000-0x00000000754E0000-memory.dmp

Filesize
7.7MB

Download
memory/4212-11-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/4212-14-0x0000000000F70000-0x00000000012BA000-memory.dmp

Filesize
3.3MB

Download
memory/4212-15-0x0000000000F70000-0x00000000012BA000-memory.dmp

Filesize
3.3MB

Download