formbook | 0a572a1204078a6e8d7e0273304057ba4fe1be02ea692ec7d3e51e1dba30a19f

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
25/01/2024, 04:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

73ba302c6db589bcc68b8686618889e8.exe
Size

1.3MB
MD5

73ba302c6db589bcc68b8686618889e8
SHA1

77b5067ebfbdceb30002c7bc6a7278978007c5f9
SHA256

0a572a1204078a6e8d7e0273304057ba4fe1be02ea692ec7d3e51e1dba30a19f
SHA512

496fc14e2dde5417a627785943d0fc39259aee0f029ac17f240391b7d7b8b6f1c2246a30aa1f10079f5f91f2594ccf875e210d5da3b7d00c1a17bfdc3a65d5d6
SSDEEP

24576:z/HwS/d3Qmvy+VKGjGXNZw0B8BiWVx2LZvig2wDGdoL7xvUN71Fe:PGGqnw0BCjqvig21dE2e

Score

10^/10

formbook b2dn rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

b2dn

Decoy

tigasaki.com

ashurmall.net

womenanhome.com

aplusmoblervrepair.com

hometheaterplanning.com

editstores.com

growtoabillion.com

uaforge96sport.com

customersuccessoutsourcing.com

northstaradio.com

remotetech42.com

matchapult.com

breakdownquartet.com

erhradtcc.com

cyainspectionsinc.com

hussy-ballistics.info

prodisa.info

mitthussweets.com

ibycoaching.com

gpspersonaltracker.equipment

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2632-9-0x0000000000400000-0x000000000042E000-memory.dmp	formbook
behavioral1/memory/2632-12-0x00000000008D0000-0x0000000000BD3000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2340 set thread context of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2632	73ba302c6db589bcc68b8686618889e8.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28
PID 2340 wrote to memory of 2632	2340	73ba302c6db589bcc68b8686618889e8.exe	28

C:\Users\Admin\AppData\Local\Temp\73ba302c6db589bcc68b8686618889e8.exe
"C:\Users\Admin\AppData\Local\Temp\73ba302c6db589bcc68b8686618889e8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2340
- C:\Users\Admin\AppData\Local\Temp\73ba302c6db589bcc68b8686618889e8.exe
  "C:\Users\Admin\AppData\Local\Temp\73ba302c6db589bcc68b8686618889e8.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2632

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2340-0-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-1-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2340-2-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-3-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2340-4-0x0000000000290000-0x00000000002D0000-memory.dmp

Filesize
256KB

Download
memory/2340-10-0x0000000074880000-0x0000000074E2B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-5-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2632-6-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2632-7-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2632-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2632-11-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download
memory/2632-12-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download