formbook | d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1

Analysis

max time kernel
140s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 02:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
Size

643KB
MD5

54c09b432ceed3439d758f235ac8ec1d
SHA1

c384270d0c1f59c48b36614c20d31d8591600bf1
SHA256

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1
SHA512

df0a62086926edaa2d011439cbee9e25c70440e847e0e21430caa419b79220ebbb613d43ec4a2dbc5d655571f556c8c6693b1e4d324b357f189519cb93d32cdb
SSDEEP

12288:7drLbDZaNRpA40Yo2W1ymtumaumtf+aqf+cx8GdMPhvla3i:pLDZMRpxlu8kumRmKMP+

Score

10^/10

formbook sl07 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

sl07

Decoy

stryper.net

riseandvibetime.com

thebenmorley.com

kdfdq.com

pet4cus.com

agrosoft.farm

utopiagood.com

sanduskyspeedway.com

eldozz-quarter.top

weixuninvest.com

taxiboativano.net

odvip377.com

bubblegome.com

peakwealtharchitects.com

mondaytoyoulive.lat

huohullq.com

the-inferno-slots-casino.top

yy88abcd88yyy.xyz

azbenfica.com

hunectar.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1508-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

description	pid	process	target process
PID 2860 set thread context of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

pid	process
1508	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
1508	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

description	pid	process	target process
PID 2860 wrote to memory of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2860 wrote to memory of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2860 wrote to memory of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2860 wrote to memory of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2860 wrote to memory of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
PID 2860 wrote to memory of 1508	2860	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe	d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe

C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
"C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2860

C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe
"C:\Users\Admin\AppData\Local\Temp\d7e1f067ee0b2d5556d1f7b1fdee8b0cf099ca3f45cf412d115440d79d76ebb1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1508-15-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/1508-14-0x0000000001560000-0x00000000018AA000-memory.dmp

Filesize
3.3MB

Download
memory/2860-5-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-4-0x00000000056A0000-0x00000000056AA000-memory.dmp

Filesize
40KB

Download
memory/2860-6-0x0000000005A30000-0x0000000005ACC000-memory.dmp

Filesize
624KB

Download
memory/2860-0-0x0000000074B4E000-0x0000000074B4F000-memory.dmp

Filesize
4KB

Download
memory/2860-7-0x0000000005780000-0x00000000057A2000-memory.dmp

Filesize
136KB

Download
memory/2860-8-0x0000000005960000-0x000000000596C000-memory.dmp

Filesize
48KB

Download
memory/2860-9-0x0000000002F20000-0x0000000002F30000-memory.dmp

Filesize
64KB

Download
memory/2860-10-0x00000000067D0000-0x0000000006846000-memory.dmp

Filesize
472KB

Download
memory/2860-3-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/2860-13-0x0000000074B40000-0x00000000752F0000-memory.dmp

Filesize
7.7MB

Download
memory/2860-2-0x0000000005D60000-0x0000000006304000-memory.dmp

Filesize
5.6MB

Download
memory/2860-1-0x0000000000C00000-0x0000000000CA6000-memory.dmp

Filesize
664KB

Download