formbook | 294d980ee33b3ee783ef73efa634d8f910ac910f3a1d2b685daea4151dc7d3f2

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 10:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New request for quotation9867875‮fdp.exe
Size

450KB
MD5

8bdeb6070b54bcbb362faea15aaf8f7f
SHA1

7708c09b98622341b13ffcb99fd61778f51c16fc
SHA256

63b52bedfe18fe9a059dafcf21ed7d2bd58b00e8b4078c98e165c36e3d347b60
SHA512

1033d22a99be996d10eea1affa1beaf067eb29c7235ae7080e86f8da71b0ee5252b4cdf45e0553897cdeae49154c113cf7ac8ed02bc2a38de8df1b1d042d0c23
SSDEEP

6144:9aUDG3Kp1O6VEJD6Lpzu5VGZ1xbt3oN/EqiOq762DOHXRSE8:9aUDd26VEt6pu5GbtwEqXq7pDOHw

Score

10^/10

formbook m1d agilenet rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m1d

Decoy

ecodezine.com

petshoot.com

finamoreservices.com

blcbbs.com

isarlog.com

vitall-holding.com

deeperootscbd.com

elizabethavan.com

xn--hizmetasistanm-igc.com

healing-with-touch.com

zebfx.com

optibm.com

mybrandsellsyourland.com

estebanell.com

average-gaming.net

beproudof.site

werrei.com

97mix.com

pastaneli.com

topryan.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3064-1-0x0000000000A40000-0x0000000000AB6000-memory.dmp	formbook
behavioral2/memory/3948-13-0x0000000000550000-0x000000000057D000-memory.dmp	formbook

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

Processes:

resource	yara_rule
behavioral2/memory/3064-4-0x0000000002E00000-0x0000000002E14000-memory.dmp	agile_net

Suspicious use of SetThreadContext 1 IoCs

Processes:

New request for quotation9867875‮fdp.exe

description	pid	process	target process
PID 3064 set thread context of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4936 3948 WerFault.exe New request for quotation9867875‮fdp.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

New request for quotation9867875‮fdp.exe

pid process

3064 New request for quotation9867875‮fdp.exe
3064 New request for quotation9867875‮fdp.exe
3064 New request for quotation9867875‮fdp.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

New request for quotation9867875‮fdp.exe

description pid process

Token: SeDebugPrivilege 3064 New request for quotation9867875‮fdp.exe

pid	pid_target	process	target process
4936	3948	WerFault.exe	New request for quotation9867875‮fdp.exe

pid	process
3064	New request for quotation9867875‮fdp.exe
3064	New request for quotation9867875‮fdp.exe
3064	New request for quotation9867875‮fdp.exe

description	pid	process
Token: SeDebugPrivilege	3064	New request for quotation9867875‮fdp.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

New request for quotation9867875‮fdp.exe

description	pid	process	target process
PID 3064 wrote to memory of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 3064 wrote to memory of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 3064 wrote to memory of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 3064 wrote to memory of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 3064 wrote to memory of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe
PID 3064 wrote to memory of 3948	3064	New request for quotation9867875‮fdp.exe	New request for quotation9867875‮fdp.exe

C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe
"C:\Users\Admin\AppData\Local\Temp\New request for quotation9867875‮fdp.exe"
2⤵
PID:3948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3948 -s 184
3⤵
- Program crash
PID:4936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3948 -ip 3948
1⤵
PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3064-6-0x00000000056C0000-0x00000000056C8000-memory.dmp

Filesize
32KB

Download
memory/3064-0-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/3064-2-0x0000000005990000-0x0000000005F34000-memory.dmp

Filesize
5.6MB

Download
memory/3064-3-0x00000000054C0000-0x0000000005552000-memory.dmp

Filesize
584KB

Download
memory/3064-4-0x0000000002E00000-0x0000000002E14000-memory.dmp

Filesize
80KB

Download
memory/3064-5-0x0000000005420000-0x0000000005428000-memory.dmp

Filesize
32KB

Download
memory/3064-1-0x0000000000A40000-0x0000000000AB6000-memory.dmp

Filesize
472KB

Download
memory/3064-7-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-10-0x000000007483E000-0x000000007483F000-memory.dmp

Filesize
4KB

Download
memory/3064-9-0x0000000006900000-0x0000000006922000-memory.dmp

Filesize
136KB

Download
memory/3064-8-0x00000000062E0000-0x0000000006324000-memory.dmp

Filesize
272KB

Download
memory/3064-11-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3064-16-0x0000000074830000-0x0000000074FE0000-memory.dmp

Filesize
7.7MB

Download
memory/3948-13-0x0000000000550000-0x000000000057D000-memory.dmp

Filesize
180KB

Download