formbook | e0e30c8c2180ba5b019bb78098a25811a1989a1bc6809e4c17130d887c47a24e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-03-2024 13:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df47fa42103603f654eeecd807f6238d.exe
Size

742KB
MD5

df47fa42103603f654eeecd807f6238d
SHA1

c6c976bb06d92279242081c0545517c94628e3a8
SHA256

e0e30c8c2180ba5b019bb78098a25811a1989a1bc6809e4c17130d887c47a24e
SHA512

a3d21ae1b99fb5893c8232f2a3cfdfadb1e7a0345247e56f8591b5d9772e12bf66bf9bc816123c6179c6bd07d6ac265152f70e0e017934289c50fd25587d5d52
SSDEEP

12288:Fnq/cgomhNFmqk3sPpXoO7hS1t9oJ9OlBk2qvRrB9l9X:zgLKySYhWtuwBktprB9l

Score

10^/10

formbook ucze rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ucze

Decoy

motorcyclemagician.com

powerreport.xyz

ychfgdne.icu

presentschein.com

seabreathing.com

stlukeyouth.com

ifixconstruction.repair

thietbikhaithacdatuanphat.com

hexdeville.com

xn--planungsbro-stanko-u6b.net

elisebruneau.com

yxflwwbvz.icu

wafirainteriors.com

hexok.com

krewedubethkevin.com

lassilacgi.com

bestvolvowebsite.com

clarissajaneen.com

foreverchemicallawsuit.com

ebizkendra.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/1564-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3308 set thread context of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
1564	df47fa42103603f654eeecd807f6238d.exe
1564	df47fa42103603f654eeecd807f6238d.exe
1564	df47fa42103603f654eeecd807f6238d.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101
PID 3308 wrote to memory of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101
PID 3308 wrote to memory of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101
PID 3308 wrote to memory of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101
PID 3308 wrote to memory of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101
PID 3308 wrote to memory of 1564	3308	df47fa42103603f654eeecd807f6238d.exe	101

C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe
"C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe
  "C:\Users\Admin\AppData\Local\Temp\df47fa42103603f654eeecd807f6238d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1564-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1564-16-0x0000000001AF0000-0x0000000001E3A000-memory.dmp

Filesize
3.3MB

Download
memory/1564-15-0x0000000001AF0000-0x0000000001E3A000-memory.dmp

Filesize
3.3MB

Download
memory/3308-4-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3308-0-0x0000000000B80000-0x0000000000C40000-memory.dmp

Filesize
768KB

Download
memory/3308-5-0x00000000056D0000-0x00000000056DA000-memory.dmp

Filesize
40KB

Download
memory/3308-6-0x0000000005C60000-0x0000000005C7C000-memory.dmp

Filesize
112KB

Download
memory/3308-7-0x00000000083A0000-0x000000000843C000-memory.dmp

Filesize
624KB

Download
memory/3308-8-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/3308-9-0x0000000005770000-0x0000000005780000-memory.dmp

Filesize
64KB

Download
memory/3308-10-0x0000000008550000-0x00000000085E0000-memory.dmp

Filesize
576KB

Download
memory/3308-11-0x000000000AC50000-0x000000000ACAA000-memory.dmp

Filesize
360KB

Download
memory/3308-3-0x0000000005600000-0x0000000005692000-memory.dmp

Filesize
584KB

Download
memory/3308-14-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download
memory/3308-2-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/3308-1-0x0000000075120000-0x00000000758D0000-memory.dmp

Filesize
7.7MB

Download