formbook | d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1

Analysis

max time kernel
121s
max time network
126s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
Size

643KB
MD5

54c09b432ceed3439d758f235ac8ec1d
SHA1

c384270d0c1f59c48b36614c20d31d8591600bf1
SHA256

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1
SHA512

df0a62086926edaa2d011439cbee9e25c70440e847e0e21430caa419b79220ebbb613d43ec4a2dbc5d655571f556c8c6693b1e4d324b357f189519cb93d32cdb
SSDEEP

12288:7drLbDZaNRpA40Yo2W1ymtumaumtf+aqf+cx8GdMPhvla3i:pLDZMRpxlu8kumRmKMP+

Score

10^/10

formbook sl07 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sl07

Decoy

stryper.net

riseandvibetime.com

thebenmorley.com

kdfdq.com

pet4cus.com

agrosoft.farm

utopiagood.com

sanduskyspeedway.com

eldozz-quarter.top

weixuninvest.com

taxiboativano.net

odvip377.com

bubblegome.com

peakwealtharchitects.com

mondaytoyoulive.lat

huohullq.com

the-inferno-slots-casino.top

yy88abcd88yyy.xyz

azbenfica.com

hunectar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1204-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

description	pid	process	target process
PID 2228 set thread context of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

pid process

1204 d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

pid	process
1204	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

description	pid	process	target process
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2228 wrote to memory of 1204	2228	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
"C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2228

C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
"C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1204

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1204-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-14-0x0000000000A50000-0x0000000000D53000-memory.dmp

Filesize
3.0MB

Download
memory/1204-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1204-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1204-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2228-3-0x0000000000640000-0x0000000000662000-memory.dmp

Filesize
136KB

Download
memory/2228-6-0x0000000000300000-0x0000000000376000-memory.dmp

Filesize
472KB

Download
memory/2228-5-0x0000000000670000-0x0000000000680000-memory.dmp

Filesize
64KB

Download
memory/2228-4-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2228-0-0x0000000074EDE000-0x0000000074EDF000-memory.dmp

Filesize
4KB

Download
memory/2228-2-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-13-0x0000000074ED0000-0x00000000755BE000-memory.dmp

Filesize
6.9MB

Download
memory/2228-1-0x0000000000810000-0x00000000008B6000-memory.dmp

Filesize
664KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads