formbook | c685ec330ab087efbdabca54f967569cbc46de6be29626f03d488eade256ec8a

Analysis

max time kernel
52s
max time network
16s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
26-12-2024 23:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe
Size

638KB
MD5

af4c1f1515a7e3156c5184ff9a3542f1
SHA1

ce0867236704c2e96dc85c4e71b57a3ba9000819
SHA256

e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792
SHA512

c18536f2158e43e6376b17e4e1e714ae65441b5393a8db4cd2254b25ab7444f0910700ee4767162265bdfccfc40c24476ea3ecc57567cfe5f80c2311ace285ae
SSDEEP

12288:46KHHTwWOTn9KtX3Q1H2/75he6bw6LfcQP:YnTaen0HQFU6bw6LkQ

Score

10^/10

formbook as31 discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

as31

Decoy

satunusanet.com

intro3.xyz

000point.xyz

woreruq.xyz

yoursinglesnetwork.club

zdcqne.cfd

kkbtt.net

aflm1.com

slayback.net

metaverseuropeen.com

teng74.com

insgoat.com

willowgrovecoaching.com

pacwest.com.co

adleadz.info

ericanilsen.com

xdfgoiumk.site

oriondistribution.net

welltempered.xyz

futamatagawa-ekimae-shika.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral1/memory/2864-12-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2308 set thread context of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2864	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30
PID 2308 wrote to memory of 2864	2308	e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe	30

C:\Users\Admin\AppData\Local\Temp\e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe
"C:\Users\Admin\AppData\Local\Temp\e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2308
- C:\Users\Admin\AppData\Local\Temp\e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe
  "C:\Users\Admin\AppData\Local\Temp\e4d96258c51cc4e4196c566e116077e7dc443a153e2ab651268ccd09c003d792.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2308-6-0x0000000004BF0000-0x0000000004C68000-memory.dmp

Filesize
480KB

Download
memory/2308-0-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/2308-2-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2308-3-0x0000000000340000-0x000000000034A000-memory.dmp

Filesize
40KB

Download
memory/2308-4-0x00000000747FE000-0x00000000747FF000-memory.dmp

Filesize
4KB

Download
memory/2308-5-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2308-1-0x0000000000E00000-0x0000000000EA4000-memory.dmp

Filesize
656KB

Download
memory/2308-7-0x0000000005020000-0x0000000005054000-memory.dmp

Filesize
208KB

Download
memory/2308-13-0x00000000747F0000-0x0000000074EDE000-memory.dmp

Filesize
6.9MB

Download
memory/2864-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2864-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2864-14-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download