formbook | ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917

Analysis

max time kernel
95s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe
Size

550KB
MD5

cb0b9fd1fdae008c92228b57f6c50a90
SHA1

567cf2c5994f1485dc9d8808156fae39647649f0
SHA256

ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917
SHA512

9585d5b2d9bb93d575facebd97b05818a14ba02c984158a80322c7e494ffaf6e559155b48e0ddb363c1cc5a99c85ae7c92f5ef77df93be046d65278de7d25726
SSDEEP

12288:5MUgm/3dE/fGiCNGiTVTsdrE0V92fO/lk9onzNXxn2iv+:5M2//iCRSdrZV92f79onzNXEiv+

Score

10^/10

formbook giok rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

giok

Decoy

royaltysplit.xyz

home-remodeling-32327.bond

ocosoap.download

mx51pbk5z3.top

sapidermen154.buzz

always23082025.info

jencodiahcp.net

psychologist-therapy-13104.bond

okigoods.online

posedon.online

ryclegalpartners.info

seek-zapatosenlinea-cl.info

xataa.info

vitalityyvault.online

hallice732.xyz

snspleak.info

ilbrentdigitalx.info

breast-implants-17988.bond

subedisaurav.site

instamoney.website

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/4240-4-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4440 set thread context of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1676	4240	WerFault.exe	85

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe

Suspicious use of WriteProcessMemory 17 IoCs

description	pid	Process	procid_target
PID 4440 wrote to memory of 4880	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	83
PID 4440 wrote to memory of 4880	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	83
PID 4440 wrote to memory of 4880	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	83
PID 4440 wrote to memory of 4880	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	83
PID 4440 wrote to memory of 876	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	84
PID 4440 wrote to memory of 876	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	84
PID 4440 wrote to memory of 876	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	84
PID 4440 wrote to memory of 876	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	84
PID 4440 wrote to memory of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85
PID 4440 wrote to memory of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85
PID 4440 wrote to memory of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85
PID 4440 wrote to memory of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85
PID 4440 wrote to memory of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85
PID 4440 wrote to memory of 4240	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	85
PID 4440 wrote to memory of 2216	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	86
PID 4440 wrote to memory of 2216	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	86
PID 4440 wrote to memory of 2216	4440	ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe	86

C:\Users\Admin\AppData\Local\Temp\ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe
"C:\Users\Admin\AppData\Local\Temp\ae2734cb4074c909b5d1469c4901bfc03487342723505ef4c1adcb41d64e3917N.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4880
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4240
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 16
    3⤵
    - Program crash
    PID:1676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 4240 -ip 4240
1⤵
PID:1428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4240-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4440-0-0x00007FFF96933000-0x00007FFF96935000-memory.dmp

Filesize
8KB

Download
memory/4440-1-0x00000269A57C0000-0x00000269A584C000-memory.dmp

Filesize
560KB

Download
memory/4440-2-0x00000269A75D0000-0x00000269A7658000-memory.dmp

Filesize
544KB

Download
memory/4440-3-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download
memory/4440-5-0x00007FFF96930000-0x00007FFF973F1000-memory.dmp

Filesize
10.8MB

Download