formbook | 27e3226a21e936159389c741965661a891edcc6228836e1b8fe820baa630b5ef

Analysis

max time kernel
147s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
17-04-2024 14:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41c452f4ba12f523916ad3390d3711d9d6c05a7c698a83a890095a8c722249a5.exe
Size

347KB
MD5

cb200521eb0a2795343b74dc489bceb6
SHA1

c5b53fbdd52fab35a5ad70c16dbcc335b7a27644
SHA256

41c452f4ba12f523916ad3390d3711d9d6c05a7c698a83a890095a8c722249a5
SHA512

53a6b2343ba2d2cd871650a3d7c582e1506541866b4a56e2cbccdf934aaddd1837795f9f88f886a14d37495a85ef3292d3d7c954c1641d6b957083190b7293d7
SSDEEP

6144:wVe3lL1uX1ACTFC1NQYNYD3ffl1fqdIhwqB1pJd:EiRu3FoQ9vfl1ydIhN1

Score

10^/10

formbook ce10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ce10

Decoy

universalbowls.com

bp5.site

thiagokielingwebdesign.net

grapper.fun

grow-more.us

cqdh888.com

facthunter.app

cstars05.xyz

baumeagency.com

montevallotowing.top

joshtdownes.com

ampvit88.info

timelesscoutureclothing.com

stimuscle.com

uppervillekeyword.top

victoriabaltzer.com

laguindah.art

kiddieboost.com

santafekeyword.top

818experience.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/4308-2-0x00000000024A0000-0x00000000024CF000-memory.dmp	formbook
behavioral2/memory/4308-3-0x0000000000400000-0x0000000000879000-memory.dmp	formbook

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2548 4308 WerFault.exe 41c452f4ba12f523916ad3390d3711d9d6c05a7c698a83a890095a8c722249a5.exe

pid	pid_target	process	target process
2548	4308	WerFault.exe	41c452f4ba12f523916ad3390d3711d9d6c05a7c698a83a890095a8c722249a5.exe

C:\Users\Admin\AppData\Local\Temp\41c452f4ba12f523916ad3390d3711d9d6c05a7c698a83a890095a8c722249a5.exe
"C:\Users\Admin\AppData\Local\Temp\41c452f4ba12f523916ad3390d3711d9d6c05a7c698a83a890095a8c722249a5.exe"
1⤵
PID:4308

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4308 -s 268
2⤵
- Program crash
PID:2548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4308 -ip 4308
1⤵
PID:64

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4308-1-0x0000000000B00000-0x0000000000C00000-memory.dmp

Filesize
1024KB

Download
memory/4308-2-0x00000000024A0000-0x00000000024CF000-memory.dmp

Filesize
188KB

Download
memory/4308-3-0x0000000000400000-0x0000000000879000-memory.dmp

Filesize
4.5MB

Download