formbook | 21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13-02-2024 03:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
Size

627KB
MD5

e7a029f25a89befb7b3add26cabdaa9b
SHA1

3a164584b8fde06639ce6d051ebe7ae5544cf943
SHA256

21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a
SHA512

93e81674f2280f52730772f29c7cc987f0ead26226ce7ba69804f4ffa8c594d10b95a2d7d013d3c653280ba96f89bed97559aec517e91104f4b0b73926133eb0
SSDEEP

12288:wXEzqHKMbNhOdU0KaRD2RIy381JnoewVVaViCNblc1TkiqgX5LRN2s8I8:w0z87bPaRDHJxwVsVvNblYIUtF

Score

10^/10

formbook ki21 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ki21

Decoy

nikonz9.com

piazzadelcondominio.cloud

stylistandcojewelry.com

watchingmovie79.store

dontpanic.solutions

cy888.xyz

pediatricdentalassoc.com

mg2selot7.us

gotireja.com

valdez.cloud

burgoontowing.top

void89.site

yoicok.online

rjinfo.xyz

omgwin7.online

pineislandhouseforsale.com

squidgamehalf.com

cpphgroup.com

kitahoki.pro

greenfieldnetworkinvest.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4672-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3688 set thread context of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
4672	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
4672	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3688 wrote to memory of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91
PID 3688 wrote to memory of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91
PID 3688 wrote to memory of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91
PID 3688 wrote to memory of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91
PID 3688 wrote to memory of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91
PID 3688 wrote to memory of 4672	3688	21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe	91

C:\Users\Admin\AppData\Local\Temp\21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
"C:\Users\Admin\AppData\Local\Temp\21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3688
- C:\Users\Admin\AppData\Local\Temp\21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe
  "C:\Users\Admin\AppData\Local\Temp\21a34d80499260fcf691ed16c83da9f3a9d14a7e2299d73d7976112230a98e5a.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3688-8-0x00000000087D0000-0x00000000087DA000-memory.dmp

Filesize
40KB

Download
memory/3688-6-0x0000000008480000-0x000000000851C000-memory.dmp

Filesize
624KB

Download
memory/3688-2-0x0000000005F60000-0x0000000006504000-memory.dmp

Filesize
5.6MB

Download
memory/3688-3-0x00000000059B0000-0x0000000005A42000-memory.dmp

Filesize
584KB

Download
memory/3688-0-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3688-5-0x0000000005960000-0x000000000596A000-memory.dmp

Filesize
40KB

Download
memory/3688-1-0x0000000000ED0000-0x0000000000F72000-memory.dmp

Filesize
648KB

Download
memory/3688-7-0x00000000087B0000-0x00000000087C4000-memory.dmp

Filesize
80KB

Download
memory/3688-4-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/3688-9-0x00000000087E0000-0x00000000087EE000-memory.dmp

Filesize
56KB

Download
memory/3688-10-0x0000000008870000-0x00000000088EC000-memory.dmp

Filesize
496KB

Download
memory/3688-11-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3688-15-0x00000000744E0000-0x0000000074C90000-memory.dmp

Filesize
7.7MB

Download
memory/3688-13-0x0000000005C00000-0x0000000005C10000-memory.dmp

Filesize
64KB

Download
memory/4672-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4672-16-0x0000000001670000-0x00000000019BA000-memory.dmp

Filesize
3.3MB

Download