formbook | f6bb8018c90c49a3b09ad5b94cbfe5009b59abdee04d05be8f4ae8825f71cf19

Analysis

max time kernel
117s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
06/03/2024, 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b643c1dfbcea7629e8d7a9d64c4779a6.exe
Size

1.4MB
MD5

b643c1dfbcea7629e8d7a9d64c4779a6
SHA1

02addb137f4407dc05af7d862b2533b131733f59
SHA256

f6bb8018c90c49a3b09ad5b94cbfe5009b59abdee04d05be8f4ae8825f71cf19
SHA512

0a08c959b9a51c558cfa031a14efb2eaf880e7a632341303d30199f0a68ce36b7a8ea1d802244eeca8fdee3c34352c70e121d5e860be68ebb7356cabae6f0e1c
SSDEEP

12288:b6SgaIMVjLz7T8BiOcef3gVZsZZZsZbesbZYhZ8bfVe0S+dkl/WsiH42mHNClsrJ:AiOmeB4ftdCbt/QS5JNuBaP2nvm

Score

10^/10

formbook nmda rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nmda

Decoy

studiovelicham.com

minskpost.com

bakolytu.com

getbeautyshot.com

staabonlinechoice.com

ezulink.com

allbrandsmoto.com

expertdentalpro.com

grossmasterbalon.art

edutatega.com

salsasuarez.com

goodcopsbadcopsstore.com

stephanityrance.com

allgoodescrows.com

lotus-attari.com

chiselandgrit.com

herbalbooze.com

colossalpublicspeaking.com

summitcreators.com

exgateway.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2880-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2200 set thread context of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2880	b643c1dfbcea7629e8d7a9d64c4779a6.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29
PID 2200 wrote to memory of 2880	2200	b643c1dfbcea7629e8d7a9d64c4779a6.exe	29

C:\Users\Admin\AppData\Local\Temp\b643c1dfbcea7629e8d7a9d64c4779a6.exe
"C:\Users\Admin\AppData\Local\Temp\b643c1dfbcea7629e8d7a9d64c4779a6.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Users\Admin\AppData\Local\Temp\b643c1dfbcea7629e8d7a9d64c4779a6.exe
  "C:\Users\Admin\AppData\Local\Temp\b643c1dfbcea7629e8d7a9d64c4779a6.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2200-6-0x0000000005510000-0x0000000005594000-memory.dmp

Filesize
528KB

Download
memory/2200-13-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-2-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2200-3-0x0000000000340000-0x0000000000354000-memory.dmp

Filesize
80KB

Download
memory/2200-4-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2200-5-0x0000000004D90000-0x0000000004DD0000-memory.dmp

Filesize
256KB

Download
memory/2200-7-0x0000000000730000-0x000000000077A000-memory.dmp

Filesize
296KB

Download
memory/2200-0-0x00000000008C0000-0x0000000000A2E000-memory.dmp

Filesize
1.4MB

Download
memory/2200-1-0x0000000074470000-0x0000000074B5E000-memory.dmp

Filesize
6.9MB

Download
memory/2880-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2880-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2880-14-0x0000000000A30000-0x0000000000D33000-memory.dmp

Filesize
3.0MB

Download