formbook | fb5626aa0b14484f382fddb614ddd4e5778be51be30e71d3576182d284618227

Analysis

max time kernel
147s
max time network
124s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30-05-2024 23:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
Size

748KB
MD5

6ce0716c080aba7c27cff52d9b8ced20
SHA1

343812c4a2387f07012a99af9de486849a4f4491
SHA256

fb5626aa0b14484f382fddb614ddd4e5778be51be30e71d3576182d284618227
SHA512

49a1e1a1c8a775256de921f3c6fdc330fe1095ff03102d3651dbf0c8a6006884b3fd8b4fcf3b8f3860f71b60c08ab04b61573c85ffd083659dd89ef8a5e73c1e
SSDEEP

12288:NusT4cgRdrEAzvHG4zhsT4cgRdrEAzvHG4zj4Btw2YPRKOu7b6WF6:NusGRdrEAbm4zhsGRdrEAbm4zj4BGTuw

Score

10^/10

formbook rc2i rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rc2i

Decoy

gdhuadong.icu

girls-at-a.click

income.rocks

immobilientopclub.immo

frigologs.net

dominohome.store

lowestedt.motorcycles

purplesoul18.asia

fashiontochic.net

jpvalettrash.com

rgvneckpain.com

brainstormingpartner.com

xvwk.asia

universalnikko.com

3887788a2.top

militarysextv.com

xxysocial.com

coachbycoach.com

caregivergrantsfindonline.today

kimetsumatrix.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2720-35-0x0000000000400000-0x0000000000430000-memory.dmp	formbook
behavioral1/memory/2720-39-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

description	pid	process	target process
PID 3016 set thread context of 2720	3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

pid process

2720 6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
Suspicious behavior: MapViewOfSection 1 IoCs

Processes:

6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

pid process

3016 6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

pid process

3016 6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

pid	process
2720	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

pid	process
3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

pid	process
3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

description	pid	process	target process
PID 3016 wrote to memory of 2720	3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
PID 3016 wrote to memory of 2720	3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
PID 3016 wrote to memory of 2720	3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
PID 3016 wrote to memory of 2720	3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
PID 3016 wrote to memory of 2720	3016	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe	6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe

C:\Users\Admin\AppData\Local\Temp\6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
"C:\Users\Admin\AppData\Local\Temp\6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe
  "C:\Users\Admin\AppData\Local\Temp\6ce0716c080aba7c27cff52d9b8ced20_NeikiAnalytics.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2720-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2720-39-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3016-28-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3016-27-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download
memory/3016-12-0x000000007294A000-0x000000007294B000-memory.dmp

Filesize
4KB

Download
memory/3016-10-0x0000000000610000-0x0000000000710000-memory.dmp

Filesize
1024KB

Download
memory/3016-7-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/3016-37-0x0000000072940000-0x0000000072A93000-memory.dmp

Filesize
1.3MB

Download