formbook | 3887ac4e7b5b900b8ed25ff0a5003ef06045b5f46e7ebc8e45dba8986c44743b

Analysis

max time kernel
140s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
10-08-2024 04:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Nuevo orden pdf.exe
Size

1.4MB
MD5

5c73505b356cb427ef1817910a9d8c8d
SHA1

e9c18e17d3701db467879f83e0bf71a98a35c89f
SHA256

877609ad75eb29e1b0813478089df76928fabbaa41538c10f08b4497a2da9f9f
SHA512

27f9fe8b7069d8d5ace439d7bfc56f02930d0a8cd24e470c17585365600084d6e6912556b5b2317155ea03828e631378651438877cb2dff69da3dfbe187baf29
SSDEEP

12288:mwnPf8auHABbBXRzwHAMauf4WhAjNzDy8jXz2Vk1tNpTH2G:B9uHABZdwHpr4Wu1RTV1tNpTWG

Score

10^/10

formbook gy15 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gy15

Decoy

yb40w.top

286live.com

poozonlife.com

availableweedsonline.com

22926839.com

petlovepet.fun

halbaexpress.com

newswingbd.com

discountdesh.com

jwoalhbn.xyz

dandevonald.com

incrediblyxb.christmas

ailia.pro

ga3ki3.com

99812.photos

richiecom.net

ummahskills.online

peakleyva.store

a1cbloodtest.com

insurancebygarry.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2216-5-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Program crash 1 IoCs

pid	pid_target	Process	procid_target
464	2216	WerFault.exe	88

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1260 set thread context of 2216	1260	Nuevo orden pdf.exe	88

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1260 wrote to memory of 2216	1260	Nuevo orden pdf.exe	88
PID 1260 wrote to memory of 2216	1260	Nuevo orden pdf.exe	88
PID 1260 wrote to memory of 2216	1260	Nuevo orden pdf.exe	88
PID 1260 wrote to memory of 2216	1260	Nuevo orden pdf.exe	88
PID 1260 wrote to memory of 2216	1260	Nuevo orden pdf.exe	88
PID 1260 wrote to memory of 2216	1260	Nuevo orden pdf.exe	88

C:\Users\Admin\AppData\Local\Temp\Nuevo orden pdf.exe
"C:\Users\Admin\AppData\Local\Temp\Nuevo orden pdf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1260
- C:\Program Files (x86)\Internet Explorer\iexplore.exe
  "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
  2⤵
  PID:2216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2216 -s 12
    3⤵
    - Program crash
    PID:464

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 2216 -ip 2216
1⤵
PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1260-0-0x0000027BF3100000-0x0000027BF310A000-memory.dmp

Filesize
40KB

Download
memory/1260-1-0x00007FFE9D653000-0x00007FFE9D655000-memory.dmp

Filesize
8KB

Download
memory/1260-2-0x0000027BF34B0000-0x0000027BF34B6000-memory.dmp

Filesize
24KB

Download
memory/1260-3-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp

Filesize
10.8MB

Download
memory/1260-4-0x0000027BF34E0000-0x0000027BF3566000-memory.dmp

Filesize
536KB

Download
memory/1260-6-0x00007FFE9D650000-0x00007FFE9E111000-memory.dmp

Filesize
10.8MB

Download
memory/2216-5-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download