formbook | a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-08-2024 01:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe
Size

607KB
MD5

690b2cd2a36fa7511b2d935a1efdc47f
SHA1

588f35c534c2ed93368446a25dde5f964119119f
SHA256

a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37
SHA512

5c96a1de338f2994693d0316e72a287ef0001926ca6a24d436d07d7d4e9c381a3bc1226cf567c16f5f600cd2b472130822798dd00ca9cfde09e4257c062db9ff
SSDEEP

12288:tVVln+HKifVQp+l3qRzNFCRZpUEmTITBDnjgqwEi87wruW:5dCKwQpM3wZIHUypjgqri87+uW

Score

10^/10

formbook hc58 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hc58

Decoy

reunioncoins.com

slot88win.today

diamondcarp.com

poke138.site

cratermaketing.com

mutokiva.website

thstocks5.online

openaquasurge.com

prodsdigital.com

exileescape.com

iqcjuetaudtj.com

bwexhaustprofl.com

indiglobalconnect.com

pushkeyclub.com

stephvin.top

lifebione.com

hannahmegery.com

brookchivell.com

bioskyline.com

nonprofitgrants.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2356-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2064 set thread context of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2356	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31
PID 2064 wrote to memory of 2356	2064	a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe	31

C:\Users\Admin\AppData\Local\Temp\a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe
"C:\Users\Admin\AppData\Local\Temp\a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Users\Admin\AppData\Local\Temp\a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe
  "C:\Users\Admin\AppData\Local\Temp\a68bc9acb795949fa2d0ee4a4ea0d7242ed87c9a3017af29a8bca49e6814ae37.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2064-6-0x00000000047E0000-0x0000000004856000-memory.dmp

Filesize
472KB

Download
memory/2064-0-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/2064-2-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-3-0x0000000002100000-0x0000000002118000-memory.dmp

Filesize
96KB

Download
memory/2064-4-0x0000000073FAE000-0x0000000073FAF000-memory.dmp

Filesize
4KB

Download
memory/2064-5-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2064-1-0x0000000000B30000-0x0000000000BCC000-memory.dmp

Filesize
624KB

Download
memory/2064-15-0x0000000073FA0000-0x000000007468E000-memory.dmp

Filesize
6.9MB

Download
memory/2356-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2356-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-7-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2356-16-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download
memory/2356-17-0x0000000000BD0000-0x0000000000ED3000-memory.dmp

Filesize
3.0MB

Download