formbook | 356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763

Analysis

max time kernel
119s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 08:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe
Size

940KB
MD5

3bd44d37c8c64efd3a94054c87e27ba3
SHA1

334e92ed8f7f49a76a1ee00bec7fd8903d90e9b3
SHA256

356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763
SHA512

057fafffb18cee4a0ce9c0295a50900448c992b7a9c395fe40fb6fdbaaf31dc4662afdf891e1b19e6b98e56a3e66193b3726217a5dbff992329af9b7b508f04a
SSDEEP

24576:pqL7IN453L28GRpNq7N6I+1wHGfkLKfd70b:0IN2K8GNied70

Score

10^/10

formbook a94w discovery rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

a94w

Decoy

elfast-cruisetours.today

uego.wtf

ealthcare-trends-21256.bond

enpuk.info

ealswithmeaning.net

lumber-jobs-54632.bond

q-test-45673.bond

chmollinger.info

sibot.tech

utomation-tools-92232.bond

urasiindo4dpools.net

tbldg.world

raffitishop.online

mwa.info

iloubloiu-im.monster

agprime.life

yshopva.xyz

onstruction-services-27125.bond

enet.xyz

ontentexclusive.shop

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook family
formbook

Formbook payload 1 IoCs

rat

resource	yara_rule
behavioral2/memory/2764-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1932 set thread context of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2764	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe
2764	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1932 wrote to memory of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84
PID 1932 wrote to memory of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84
PID 1932 wrote to memory of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84
PID 1932 wrote to memory of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84
PID 1932 wrote to memory of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84
PID 1932 wrote to memory of 2764	1932	356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe	84

C:\Users\Admin\AppData\Local\Temp\356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe
"C:\Users\Admin\AppData\Local\Temp\356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Users\Admin\AppData\Local\Temp\356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe
  "C:\Users\Admin\AppData\Local\Temp\356b42b6824a606e883de088d6eba39d6aa9f65d6fa6af6c2b0144013d116763.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-6-0x0000000005120000-0x000000000513E000-memory.dmp

Filesize
120KB

Download
memory/1932-0-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/1932-2-0x00000000053D0000-0x0000000005974000-memory.dmp

Filesize
5.6MB

Download
memory/1932-3-0x0000000004D30000-0x0000000004DC2000-memory.dmp

Filesize
584KB

Download
memory/1932-5-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-4-0x0000000004DD0000-0x0000000004DDA000-memory.dmp

Filesize
40KB

Download
memory/1932-1-0x0000000000260000-0x0000000000352000-memory.dmp

Filesize
968KB

Download
memory/1932-7-0x0000000074B1E000-0x0000000074B1F000-memory.dmp

Filesize
4KB

Download
memory/1932-10-0x000000000BCF0000-0x000000000BD8C000-memory.dmp

Filesize
624KB

Download
memory/1932-9-0x0000000008BD0000-0x0000000008C48000-memory.dmp

Filesize
480KB

Download
memory/1932-8-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/1932-13-0x0000000074B10000-0x00000000752C0000-memory.dmp

Filesize
7.7MB

Download
memory/2764-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2764-14-0x0000000001250000-0x000000000159A000-memory.dmp

Filesize
3.3MB

Download