formbook | b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618

Analysis

max time kernel
106s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2024 02:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe
Size

550KB
MD5

304ae39e62244a946e1cef21393fe3b7
SHA1

6157b6191e3df5d1a01776cadd0e3988e7597bc8
SHA256

b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618
SHA512

8d765cc52575334ecf36256eb8ce0c6a2061b43b0d959888542111859b864cbe4227fdbb567a5db881fc97b1e19999e0c57b3b4cd875eea9264ea4715a2234ed
SSDEEP

12288:5MUgm/3dE/fGiCNGiTVTsdrE0V92fO/lk9onzNXxn2ive:5M2//iCRSdrZV92f79onzNXEive

Score

10^/10

formbook giok rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

giok

Decoy

royaltysplit.xyz

home-remodeling-32327.bond

ocosoap.download

mx51pbk5z3.top

sapidermen154.buzz

always23082025.info

jencodiahcp.net

psychologist-therapy-13104.bond

okigoods.online

posedon.online

ryclegalpartners.info

seek-zapatosenlinea-cl.info

xataa.info

vitalityyvault.online

hallice732.xyz

snspleak.info

ilbrentdigitalx.info

breast-implants-17988.bond

subedisaurav.site

instamoney.website

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/380-4-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2792 set thread context of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4904	380	WerFault.exe	84

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 1456	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	83
PID 2792 wrote to memory of 1456	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	83
PID 2792 wrote to memory of 1456	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	83
PID 2792 wrote to memory of 1456	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	83
PID 2792 wrote to memory of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84
PID 2792 wrote to memory of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84
PID 2792 wrote to memory of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84
PID 2792 wrote to memory of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84
PID 2792 wrote to memory of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84
PID 2792 wrote to memory of 380	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	84
PID 2792 wrote to memory of 4788	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	85
PID 2792 wrote to memory of 4788	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	85
PID 2792 wrote to memory of 4788	2792	b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe	85

C:\Users\Admin\AppData\Local\Temp\b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe
"C:\Users\Admin\AppData\Local\Temp\b7c048465cfc09a8649043c0571a84d1edff4a8509e80dc55470fbbc83f0c618.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:380
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 12
    3⤵
    - Program crash
    PID:4904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 380 -ip 380
1⤵
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/380-4-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2792-0-0x00007FFD47823000-0x00007FFD47825000-memory.dmp

Filesize
8KB

Download
memory/2792-1-0x0000020B36100000-0x0000020B3618C000-memory.dmp

Filesize
560KB

Download
memory/2792-2-0x0000020B507D0000-0x0000020B50858000-memory.dmp

Filesize
544KB

Download
memory/2792-3-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download
memory/2792-5-0x00007FFD47820000-0x00007FFD482E1000-memory.dmp

Filesize
10.8MB

Download