formbook | 00a1389397741e429a832789b222bcfa27eeb64752d26477078262a6be1e5b6c

Analysis

max time kernel
122s
max time network
132s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-03-2024 08:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e13aec794ab852539c7ddc9b1684d795.exe
Size

384KB
MD5

e13aec794ab852539c7ddc9b1684d795
SHA1

7cd01153e6223b6b63604bddf960198958bde7bf
SHA256

00a1389397741e429a832789b222bcfa27eeb64752d26477078262a6be1e5b6c
SHA512

c9d6853f20e1462355ca71e8a9322b29a2e92361a4197bd0c00cd24f2e2e9ffc128ba5244a73da4edae2415c8daaaefc6fc320714272e3151fb3a935d7b74474
SSDEEP

12288:brf0P3HD5Y8n7nVzDMfmyQGCs23P9LyB4LnE8O:0P3H1Y87BIfQGC98B2El

Score

10^/10

formbook tnli rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

tnli

Decoy

thefoodrecipes.xyz

polefishing.store

ashdal.com

bodurm.com

queeningoutconsulting.com

villaricatruckparkingnearme.com

realestatebites.com

sofutureproof.com

guildmac.com

thegeeksbeanie.com

frenchiesstore.com

wizzywheels.com

sporyeri.online

8deltavapes.com

bowlandskincare.com

10dollarchat.com

talesfromthequadrat.com

bellaspetwear.com

linkenvideo080.xyz

master-tim.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2304-2-0x0000000000400000-0x000000000042E000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

e13aec794ab852539c7ddc9b1684d795.exe

description pid process target process

PID 2092 set thread context of 2304 2092 e13aec794ab852539c7ddc9b1684d795.exe e13aec794ab852539c7ddc9b1684d795.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

e13aec794ab852539c7ddc9b1684d795.exe

pid process

2304 e13aec794ab852539c7ddc9b1684d795.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

e13aec794ab852539c7ddc9b1684d795.exe

pid process

2092 e13aec794ab852539c7ddc9b1684d795.exe

description	pid	process	target process
PID 2092 set thread context of 2304	2092	e13aec794ab852539c7ddc9b1684d795.exe	e13aec794ab852539c7ddc9b1684d795.exe

pid	process
2304	e13aec794ab852539c7ddc9b1684d795.exe

pid	process
2092	e13aec794ab852539c7ddc9b1684d795.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

e13aec794ab852539c7ddc9b1684d795.exe

description	pid	process	target process
PID 2092 wrote to memory of 2304	2092	e13aec794ab852539c7ddc9b1684d795.exe	e13aec794ab852539c7ddc9b1684d795.exe
PID 2092 wrote to memory of 2304	2092	e13aec794ab852539c7ddc9b1684d795.exe	e13aec794ab852539c7ddc9b1684d795.exe
PID 2092 wrote to memory of 2304	2092	e13aec794ab852539c7ddc9b1684d795.exe	e13aec794ab852539c7ddc9b1684d795.exe
PID 2092 wrote to memory of 2304	2092	e13aec794ab852539c7ddc9b1684d795.exe	e13aec794ab852539c7ddc9b1684d795.exe
PID 2092 wrote to memory of 2304	2092	e13aec794ab852539c7ddc9b1684d795.exe	e13aec794ab852539c7ddc9b1684d795.exe

C:\Users\Admin\AppData\Local\Temp\e13aec794ab852539c7ddc9b1684d795.exe
"C:\Users\Admin\AppData\Local\Temp\e13aec794ab852539c7ddc9b1684d795.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2092

C:\Users\Admin\AppData\Local\Temp\e13aec794ab852539c7ddc9b1684d795.exe
"C:\Users\Admin\AppData\Local\Temp\e13aec794ab852539c7ddc9b1684d795.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2304

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2092-0-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2092-1-0x00000000002B0000-0x00000000002B2000-memory.dmp

Filesize
8KB

Download
memory/2092-3-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/2304-2-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2304-5-0x0000000000840000-0x0000000000B43000-memory.dmp

Filesize
3.0MB

Download