formbook | c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 02:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
Size

591KB
MD5

3e9ed562d7396b0cf40e2eef56bfb08e
SHA1

6438ac88a4e0f722318e80bf5077489c8af64a91
SHA256

c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d
SHA512

2be71dcf1613979e2bca74401533b80995effc9d90c0d84b1b491f92d3d8f2065f0bb2632165918fd91ff3ec0f58ea74fdf1ecbe99d553f97021b6cec86546c6
SSDEEP

12288:vI361h61EWGiSOEMDy83Q2G2h0AQY06NuROqnEcptjOOhnLMIjq0wrVA61:vtY7GiSOEMDy8g2k+06BqVpJfPwrz

Score

10^/10

formbook fs35 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fs35

Decoy

latechdz.com

sdp-ploce.com

ss203.site

sm6yuy.net

needstothink.com

heginstwp.com

blueplumespirit.com

vemconferirshop.click

yorent-auto.com

eleononaly.com

medicalspacelocators.com

7law.info

imacanberra.online

bbtyss.top

onlyanfans.com

varenty.com

fappies.shop

313865.com

hongpools.com

babkacuisine.xyz

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3456-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe

description	pid	process	target process
PID 2772 set thread context of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe

pid	process
3456	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
3456	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe

description	pid	process	target process
PID 2772 wrote to memory of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
PID 2772 wrote to memory of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
PID 2772 wrote to memory of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
PID 2772 wrote to memory of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
PID 2772 wrote to memory of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
PID 2772 wrote to memory of 3456	2772	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe	c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe

C:\Users\Admin\AppData\Local\Temp\c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
"C:\Users\Admin\AppData\Local\Temp\c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2772
- C:\Users\Admin\AppData\Local\Temp\c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe
  "C:\Users\Admin\AppData\Local\Temp\c0126f29188353d5cc569ac4c7430b15aecebf14a60dd9dcac498fd3dc299e0d.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2772-9-0x0000000006D70000-0x0000000006D7A000-memory.dmp

Filesize
40KB

Download
memory/2772-6-0x00000000061D0000-0x00000000061DA000-memory.dmp

Filesize
40KB

Download
memory/2772-2-0x0000000005B20000-0x00000000060C4000-memory.dmp

Filesize
5.6MB

Download
memory/2772-3-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/2772-0-0x0000000074B7E000-0x0000000074B7F000-memory.dmp

Filesize
4KB

Download
memory/2772-5-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2772-1-0x0000000000A60000-0x0000000000AFA000-memory.dmp

Filesize
616KB

Download
memory/2772-7-0x0000000008820000-0x0000000008830000-memory.dmp

Filesize
64KB

Download
memory/2772-4-0x0000000005570000-0x00000000055D6000-memory.dmp

Filesize
408KB

Download
memory/2772-8-0x0000000006D60000-0x0000000006D68000-memory.dmp

Filesize
32KB

Download
memory/2772-11-0x0000000006FA0000-0x000000000703C000-memory.dmp

Filesize
624KB

Download
memory/2772-14-0x0000000074B70000-0x0000000075320000-memory.dmp

Filesize
7.7MB

Download
memory/2772-10-0x0000000006D90000-0x0000000006DFE000-memory.dmp

Filesize
440KB

Download
memory/3456-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3456-15-0x0000000001540000-0x000000000188A000-memory.dmp

Filesize
3.3MB

Download
memory/3456-16-0x0000000001540000-0x000000000188A000-memory.dmp

Filesize
3.3MB

Download