formbook | 8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe
Size

651KB
MD5

461a238903404999e36835284a2eaaf7
SHA1

d8a050750f7fdc5038d4164c8f7d247d2cecf7a9
SHA256

8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4
SHA512

dbacc9234a74ac470839a6668899a6725c915d4ffb4c9fa27208d18cf35798bc6edef056a99e9500131257bb1d37a2cc280c9fabd409f55900f8db602368f586
SSDEEP

12288:eiETpbqSE35/ohUxyWC5c5+C4PE4Y5tq1czVGZaIrKiHbts3/1MkR:WbqSE3JYwkm5+CmEjGlNrKc5M/F

Score

10^/10

formbook cn26 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cn26

Decoy

ajtsistemas.com

kolotylo.info

mraofficial.store

shopcupsareus.com

odishastatenews.in

yipicircle.life

bryve.shop

tempotrekstore.com

casinoslotsjoint.com

xiaoshuoxyz.com

art-birdsflyinghigh.com

odvip438.com

verlatservicios.com

bilocoin.world

lamaisonfacile.com

guojiang-v37.xyz

shsredgpoufnds.net

thequorumcompany.com

qf4h1tcpmgxor7b.skin

daisyjoanniezu.cyou

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4352-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3064 set thread context of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4352	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe
4352	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91
PID 3064 wrote to memory of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91
PID 3064 wrote to memory of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91
PID 3064 wrote to memory of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91
PID 3064 wrote to memory of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91
PID 3064 wrote to memory of 4352	3064	8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe	91

C:\Users\Admin\AppData\Local\Temp\8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe
"C:\Users\Admin\AppData\Local\Temp\8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Users\Admin\AppData\Local\Temp\8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe
  "C:\Users\Admin\AppData\Local\Temp\8b5376bda7dabd5355e17ed2d29a76b466f5197841a35568276c843e332835b4.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-6-0x00000000051F0000-0x000000000520E000-memory.dmp

Filesize
120KB

Download
memory/3064-13-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-2-0x0000000005380000-0x0000000005924000-memory.dmp

Filesize
5.6MB

Download
memory/3064-3-0x0000000004E70000-0x0000000004F02000-memory.dmp

Filesize
584KB

Download
memory/3064-4-0x0000000005020000-0x000000000502A000-memory.dmp

Filesize
40KB

Download
memory/3064-5-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-8-0x0000000005370000-0x0000000005386000-memory.dmp

Filesize
88KB

Download
memory/3064-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/3064-1-0x00000000003E0000-0x0000000000486000-memory.dmp

Filesize
664KB

Download
memory/3064-9-0x00000000068F0000-0x0000000006966000-memory.dmp

Filesize
472KB

Download
memory/3064-10-0x0000000008F50000-0x0000000008FEC000-memory.dmp

Filesize
624KB

Download
memory/3064-7-0x0000000005350000-0x0000000005360000-memory.dmp

Filesize
64KB

Download
memory/4352-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4352-14-0x0000000001770000-0x0000000001ABA000-memory.dmp

Filesize
3.3MB

Download