formbook | e7fd91e7f7e1474b1db1cc9239e0c89071c7c754901f5500c6ac3f8c3ea9d656

Analysis

max time kernel
143s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
29/01/2024, 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f77742653236bb26dd573db2c014f87.exe
Size

745KB
MD5

7f77742653236bb26dd573db2c014f87
SHA1

ca2dfd318ed51a2951c35f1cb440dbc43c52fe74
SHA256

e7fd91e7f7e1474b1db1cc9239e0c89071c7c754901f5500c6ac3f8c3ea9d656
SHA512

deed51f65277c9e0c9500bea924317c344a96c73e22ab16a7ec5cdf4e06b06de04a2c384507743be3c9c76e261ae752689da083688e4997436f9c9ef696ce34c
SSDEEP

12288:wwQPpvhcHyTCOsBgo0q4wME4m3DtvA2B49wyNv6CvBVdIqwH5GxJv:wwQPpvh3COsBgo0q4wME4mO99w8lJA5Q

Score

10^/10

formbook rh0s rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rh0s

Decoy

operatethekitchen.com

albaturkvatifbank.com

buzduganjr.com

binnsmotorinn.com

slotz789.com

bbwelldrilling.com

ldygqr.com

copyrightrules-ig.com

grabnsnatch.net

snowboardworldcup2009.com

mkstarz.com

flattoplakehomesforsale.com

tradinglife123.net

cafearabicanj.com

thekozow.com

wii2review26.club

youcanpassusmle.com

tydevelops.com

fashionwatchesstore.com

peeleasubo.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

resource	yara_rule
behavioral2/memory/1472-8-0x0000000002540000-0x0000000002552000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/3996-13-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1472 set thread context of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1472	7f77742653236bb26dd573db2c014f87.exe
1472	7f77742653236bb26dd573db2c014f87.exe
3996	7f77742653236bb26dd573db2c014f87.exe
3996	7f77742653236bb26dd573db2c014f87.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1472	7f77742653236bb26dd573db2c014f87.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 3676	1472	7f77742653236bb26dd573db2c014f87.exe	92
PID 1472 wrote to memory of 3676	1472	7f77742653236bb26dd573db2c014f87.exe	92
PID 1472 wrote to memory of 3676	1472	7f77742653236bb26dd573db2c014f87.exe	92
PID 1472 wrote to memory of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93
PID 1472 wrote to memory of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93
PID 1472 wrote to memory of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93
PID 1472 wrote to memory of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93
PID 1472 wrote to memory of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93
PID 1472 wrote to memory of 3996	1472	7f77742653236bb26dd573db2c014f87.exe	93

C:\Users\Admin\AppData\Local\Temp\7f77742653236bb26dd573db2c014f87.exe
"C:\Users\Admin\AppData\Local\Temp\7f77742653236bb26dd573db2c014f87.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\7f77742653236bb26dd573db2c014f87.exe
  "C:\Users\Admin\AppData\Local\Temp\7f77742653236bb26dd573db2c014f87.exe"
  2⤵
  PID:3676
- C:\Users\Admin\AppData\Local\Temp\7f77742653236bb26dd573db2c014f87.exe
  "C:\Users\Admin\AppData\Local\Temp\7f77742653236bb26dd573db2c014f87.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3996

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1472-8-0x0000000002540000-0x0000000002552000-memory.dmp

Filesize
72KB

Download
memory/1472-9-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1472-2-0x0000000004B00000-0x0000000004B9C000-memory.dmp

Filesize
624KB

Download
memory/1472-3-0x0000000005150000-0x00000000056F4000-memory.dmp

Filesize
5.6MB

Download
memory/1472-4-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/1472-5-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1472-0-0x00000000001D0000-0x0000000000290000-memory.dmp

Filesize
768KB

Download
memory/1472-6-0x0000000004BE0000-0x0000000004BEA000-memory.dmp

Filesize
40KB

Download
memory/1472-1-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/1472-7-0x0000000004E80000-0x0000000004ED6000-memory.dmp

Filesize
344KB

Download
memory/1472-10-0x0000000004D80000-0x0000000004D90000-memory.dmp

Filesize
64KB

Download
memory/1472-11-0x0000000007A30000-0x0000000007AB2000-memory.dmp

Filesize
520KB

Download
memory/1472-12-0x0000000007AB0000-0x0000000007AE8000-memory.dmp

Filesize
224KB

Download
memory/1472-15-0x00000000749C0000-0x0000000075170000-memory.dmp

Filesize
7.7MB

Download
memory/3996-13-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3996-16-0x0000000001810000-0x0000000001B5A000-memory.dmp

Filesize
3.3MB

Download