formbook | e8815d23a30784440c043d16e0b62dfd5107c68f7139075b947575fee940a651

Analysis

max time kernel
118s
max time network
122s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 22:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7885d083cda2b5be4bfd33eaf138a9df.exe
Size

806KB
MD5

7885d083cda2b5be4bfd33eaf138a9df
SHA1

e8a131256dcc6b616203e43d54f561016e31c5b2
SHA256

e8815d23a30784440c043d16e0b62dfd5107c68f7139075b947575fee940a651
SHA512

91fe35e58039214914eb30fd233261844fff46e39764cafdfa47a8dc17980cb5219d56c4c4c1d9b8bfcd83c7271f496c3c36443224a6ede89f85bc9668c33f08
SSDEEP

12288:RSuXry7iS/d348plpPVTfaropWnLOciYbJiH6fRMxrYxDERYvXNt:Rtr9S/d3PVaoKZiY2IemJEoNt

Score

10^/10

formbook fndy rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fndy

Decoy

nerorog.com

gsdyqf.com

spyxcase.com

wassyoiseikatsu.net

binarytotext.online

conflictdynamicsprofile.com

forepast.com

raleighproduction.com

icqbet.net

applesgravity.com

lasmargsdenver.com

wordspanpublishing.com

sozialmediamarekting.com

sanaulahmalik.com

trufflesales.com

rajakreditmobil.com

remoteandfreelance.com

sunny-since-we-met.net

heloisecommunication.com

theatreimagination.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral1/memory/2028-3-0x00000000001D0000-0x00000000001E2000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2736-14-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2028 set thread context of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2736	7885d083cda2b5be4bfd33eaf138a9df.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30
PID 2028 wrote to memory of 2736	2028	7885d083cda2b5be4bfd33eaf138a9df.exe	30

C:\Users\Admin\AppData\Local\Temp\7885d083cda2b5be4bfd33eaf138a9df.exe
"C:\Users\Admin\AppData\Local\Temp\7885d083cda2b5be4bfd33eaf138a9df.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Users\Admin\AppData\Local\Temp\7885d083cda2b5be4bfd33eaf138a9df.exe
  "C:\Users\Admin\AppData\Local\Temp\7885d083cda2b5be4bfd33eaf138a9df.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2028-7-0x00000000003F0000-0x0000000000424000-memory.dmp

Filesize
208KB

Download
memory/2028-15-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-2-0x0000000000910000-0x0000000000950000-memory.dmp

Filesize
256KB

Download
memory/2028-3-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2028-4-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2028-5-0x0000000000910000-0x0000000000950000-memory.dmp

Filesize
256KB

Download
memory/2028-6-0x0000000005490000-0x000000000550C000-memory.dmp

Filesize
496KB

Download
memory/2028-0-0x0000000000980000-0x0000000000A50000-memory.dmp

Filesize
832KB

Download
memory/2028-1-0x00000000741E0000-0x00000000748CE000-memory.dmp

Filesize
6.9MB

Download
memory/2736-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2736-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-10-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2736-14-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2736-16-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download