formbook | e0e30c8c2180ba5b019bb78098a25811a1989a1bc6809e4c17130d887c47a24e

Analysis

max time kernel
119s
max time network
122s
platform
windows7_x64
resource
win7-20240319-en
resource tags

arch:x64arch:x86image:win7-20240319-enlocale:en-usos:windows7-x64system
submitted
26-03-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df47fa42103603f654eeecd807f6238d.exe
Size

742KB
MD5

df47fa42103603f654eeecd807f6238d
SHA1

c6c976bb06d92279242081c0545517c94628e3a8
SHA256

e0e30c8c2180ba5b019bb78098a25811a1989a1bc6809e4c17130d887c47a24e
SHA512

a3d21ae1b99fb5893c8232f2a3cfdfadb1e7a0345247e56f8591b5d9772e12bf66bf9bc816123c6179c6bd07d6ac265152f70e0e017934289c50fd25587d5d52
SSDEEP

12288:Fnq/cgomhNFmqk3sPpXoO7hS1t9oJ9OlBk2qvRrB9l9X:zgLKySYhWtuwBktprB9l

Score

10^/10

formbook ucze rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ucze

Decoy

motorcyclemagician.com

powerreport.xyz

ychfgdne.icu

presentschein.com

seabreathing.com

stlukeyouth.com

ifixconstruction.repair

thietbikhaithacdatuanphat.com

hexdeville.com

xn--planungsbro-stanko-u6b.net

elisebruneau.com

yxflwwbvz.icu

wafirainteriors.com

hexok.com

krewedubethkevin.com

lassilacgi.com

bestvolvowebsite.com

clarissajaneen.com

foreverchemicallawsuit.com

ebizkendra.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2816-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

df47fa42103603f654eeecd807f6238d.exe

description pid process target process

PID 2052 set thread context of 2816 2052 df47fa42103603f654eeecd807f6238d.exe df47fa42103603f654eeecd807f6238d.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

df47fa42103603f654eeecd807f6238d.exe

pid process

2816 df47fa42103603f654eeecd807f6238d.exe

description	pid	process	target process
PID 2052 set thread context of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe

pid	process
2816	df47fa42103603f654eeecd807f6238d.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

df47fa42103603f654eeecd807f6238d.exe

description	pid	process	target process
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe
PID 2052 wrote to memory of 2816	2052	df47fa42103603f654eeecd807f6238d.exe	df47fa42103603f654eeecd807f6238d.exe

C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe
"C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2052

C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe
"C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2816

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2052-6-0x0000000005F30000-0x0000000005FC0000-memory.dmp

Filesize
576KB

Download
memory/2052-0-0x0000000000830000-0x00000000008F0000-memory.dmp

Filesize
768KB

Download
memory/2052-2-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/2052-3-0x0000000000420000-0x000000000043C000-memory.dmp

Filesize
112KB

Download
memory/2052-4-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-5-0x0000000004E00000-0x0000000004E40000-memory.dmp

Filesize
256KB

Download
memory/2052-1-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2052-7-0x0000000004EB0000-0x0000000004F0A000-memory.dmp

Filesize
360KB

Download
memory/2052-13-0x0000000074150000-0x000000007483E000-memory.dmp

Filesize
6.9MB

Download
memory/2816-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2816-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2816-14-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download