formbook | 32bbf2e5e3a25176126e173d9f5cda01040c9f82fd426c1463fdaeb7ade8adf5

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 05:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e0ea43818cf17d804ee897584efdd06f.exe
Size

829KB
MD5

e0ea43818cf17d804ee897584efdd06f
SHA1

fe729ee34f962c5ce0cf611e97fc4da98bb794a1
SHA256

32bbf2e5e3a25176126e173d9f5cda01040c9f82fd426c1463fdaeb7ade8adf5
SHA512

874f306169e786edf0ac6112be70e98be6a7261a8ee70b56421f771488f0525f930853ec768a8b06739810b2659d90024bce359e6ec893eeeab9fea59355f7e4
SSDEEP

24576:AITjS/d3G34AxzXOgYsw3ixZWphUMqAtDLuNc2LDLFdE:VzIy+5seRUM7tr2LDL4

Score

10^/10

formbook bkbk rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bkbk

Decoy

myzshouse.com

elimabd.com

iandiphoto.com

k9yhf.com

lalaandthelight.com

spearteam6.com

tdv29mayiskoleji.net

senthamizholi.com

toprooferelpaso.com

homegraphicdesign.com

formas-de-ganar-dinero.online

psgvsfreelive.com

xclusivedispatch.com

qdhizwlti.icu

hananomi24.com

seikobaby.com

cursosinemlinea.com

vintage-transport.com

billings-identify.com

simplepartyplanning.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

CustAttr .NET packer 1 IoCs

Detects CustAttr .NET packer in memory.

Processes:

resource	yara_rule
behavioral1/memory/1500-3-0x0000000000260000-0x0000000000272000-memory.dmp	CustAttr

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2192-12-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

e0ea43818cf17d804ee897584efdd06f.exe

description pid process target process

PID 1500 set thread context of 2192 1500 e0ea43818cf17d804ee897584efdd06f.exe e0ea43818cf17d804ee897584efdd06f.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e0ea43818cf17d804ee897584efdd06f.exe

pid process

2192 e0ea43818cf17d804ee897584efdd06f.exe

description	pid	process	target process
PID 1500 set thread context of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe

pid	process
2192	e0ea43818cf17d804ee897584efdd06f.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e0ea43818cf17d804ee897584efdd06f.exe

description	pid	process	target process
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe
PID 1500 wrote to memory of 2192	1500	e0ea43818cf17d804ee897584efdd06f.exe	e0ea43818cf17d804ee897584efdd06f.exe

C:\Users\Admin\AppData\Local\Temp\e0ea43818cf17d804ee897584efdd06f.exe
"C:\Users\Admin\AppData\Local\Temp\e0ea43818cf17d804ee897584efdd06f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1500

C:\Users\Admin\AppData\Local\Temp\e0ea43818cf17d804ee897584efdd06f.exe
"C:\Users\Admin\AppData\Local\Temp\e0ea43818cf17d804ee897584efdd06f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2192

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1500-6-0x00000000059A0000-0x0000000005A1C000-memory.dmp

Filesize
496KB

Download
memory/1500-13-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-2-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1500-3-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1500-4-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-5-0x0000000004840000-0x0000000004880000-memory.dmp

Filesize
256KB

Download
memory/1500-1-0x0000000074A40000-0x000000007512E000-memory.dmp

Filesize
6.9MB

Download
memory/1500-7-0x0000000000A10000-0x0000000000A44000-memory.dmp

Filesize
208KB

Download
memory/1500-0-0x0000000000EC0000-0x0000000000F96000-memory.dmp

Filesize
856KB

Download
memory/2192-8-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2192-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2192-14-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download
memory/2192-15-0x0000000000700000-0x0000000000A03000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads