formbook | c2ff62acf746324212f08dc2fcaa6632714f93a2c5f2c6bd36871a9acf88f474

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
27-03-2024 11:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e196217570169975afaba0203cc849e5.exe
Size

221KB
MD5

e196217570169975afaba0203cc849e5
SHA1

c230cbfa709fb8179302c44f4696f7fcd3149dc1
SHA256

c2ff62acf746324212f08dc2fcaa6632714f93a2c5f2c6bd36871a9acf88f474
SHA512

100f8147e6ce0d496a862b817a2e57f9eda529d4abbbab60a3c1dbd521ccd54db077ba903b3691df2a2ae28397d7397914bcc050bd0939416351df90d3ad9d98
SSDEEP

3072:I7/AJNvlRruSvJh9xeyk1EvAty0GTksa0+KZ90lQ+Ytgt4rPZUDKH4sSns:I7MfrlhhbobE3TWKZHgtchUD19n

Score

10^/10

formbook m4ts rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m4ts

Decoy

sverreogjenny.com

hybctd.com

cash4homesutah.com

finaday.com

thecreepniks.com

yumnamc.com

hkk-diary-notes.com

enhancedtech.net

bestmercedesbenzwebsite.com

healingmusicx.com

coegl.com

apinchofearth.com

headsetlinks.com

gxshenghuang.com

skyscrapersaluminium.com

seres.tech

mycrystalcare.com

irgemedia.com

hscecourses.com

ludicrousnutrients.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4876-5-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

e196217570169975afaba0203cc849e5.exe

description pid process target process

PID 4212 set thread context of 4876 4212 e196217570169975afaba0203cc849e5.exe e196217570169975afaba0203cc849e5.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e196217570169975afaba0203cc849e5.exe

pid process

4876 e196217570169975afaba0203cc849e5.exe
4876 e196217570169975afaba0203cc849e5.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

e196217570169975afaba0203cc849e5.exe

description pid process

Token: SeDebugPrivilege 4212 e196217570169975afaba0203cc849e5.exe

description	pid	process	target process
PID 4212 set thread context of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe

pid	process
4876	e196217570169975afaba0203cc849e5.exe
4876	e196217570169975afaba0203cc849e5.exe

description	pid	process
Token: SeDebugPrivilege	4212	e196217570169975afaba0203cc849e5.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e196217570169975afaba0203cc849e5.exe

description	pid	process	target process
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe
PID 4212 wrote to memory of 4876	4212	e196217570169975afaba0203cc849e5.exe	e196217570169975afaba0203cc849e5.exe

C:\Users\Admin\AppData\Local\Temp\e196217570169975afaba0203cc849e5.exe
"C:\Users\Admin\AppData\Local\Temp\e196217570169975afaba0203cc849e5.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4212

C:\Users\Admin\AppData\Local\Temp\e196217570169975afaba0203cc849e5.exe
"C:\Users\Admin\AppData\Local\Temp\e196217570169975afaba0203cc849e5.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4212-0-0x0000000000940000-0x000000000097E000-memory.dmp

Filesize
248KB

Download
memory/4212-1-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4212-2-0x0000000005230000-0x00000000052CC000-memory.dmp

Filesize
624KB

Download
memory/4212-3-0x0000000005420000-0x0000000005430000-memory.dmp

Filesize
64KB

Download
memory/4212-4-0x0000000005130000-0x0000000005168000-memory.dmp

Filesize
224KB

Download
memory/4212-7-0x0000000074D90000-0x0000000075540000-memory.dmp

Filesize
7.7MB

Download
memory/4876-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4876-8-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download
memory/4876-9-0x0000000000E80000-0x00000000011CA000-memory.dmp

Filesize
3.3MB

Download