formbook | 371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
13-06-2024 16:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
Size

683KB
MD5

9a1d07c40f260be6ee003d9ae877614b
SHA1

5267de2f302b9f20d21307f9e5c02887ecd7377c
SHA256

371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7
SHA512

35b17567e170b32134c0d6dc03693ed44dfc7fbbbbeb8787a456bc20a97a4f5dba268452e8776098861a3f3fdce69e1080638a5c7bb3ce9f5b8b650c912765aa
SSDEEP

12288:IdXtfETu34NF6Zt4A8p56+gY7RrGcarLTj5S4A4hxl+gt9zoVYz2yUc:Id92amF6Mt3gYgcar/AeX+yE2z/

Score

10^/10

formbook cr12 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cr12

Decoy

nff1291.com

satyainfra.com

hechiceradeamores.com

jfgminimalist.com

qut68q.com

pedandmore.com

sugardefender24-usa.us

somalse.com

lotusluxecandle.com

certificadobassetpro.com

veryaroma.com

thehistoryofindia.in

33155.cc

terastudy.net

84031.vip

heilsambegegnen.com

horizon-rg.info

junongpei.website

winstons.club

henslotalt.us

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/2204-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook

resource	yara_rule
behavioral2/memory/2204-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

description	pid	process	target process
PID 4580 set thread context of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

pid process

2204 371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
2204 371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

pid	process
2204	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
2204	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

description	pid	process	target process
PID 4580 wrote to memory of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
PID 4580 wrote to memory of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
PID 4580 wrote to memory of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
PID 4580 wrote to memory of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
PID 4580 wrote to memory of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
PID 4580 wrote to memory of 2204	4580	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe	371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe

C:\Users\Admin\AppData\Local\Temp\371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
"C:\Users\Admin\AppData\Local\Temp\371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4580

C:\Users\Admin\AppData\Local\Temp\371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe
"C:\Users\Admin\AppData\Local\Temp\371796cb762c7b686b0b81fe0028b06ac9908488ac0598ffe2fbbb7f66e675f7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2204

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2204-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2204-14-0x0000000001BA0000-0x0000000001EEA000-memory.dmp

Filesize
3.3MB

Download
memory/2204-13-0x0000000001BA0000-0x0000000001EEA000-memory.dmp

Filesize
3.3MB

Download
memory/4580-6-0x0000000006E80000-0x0000000006E9A000-memory.dmp

Filesize
104KB

Download
memory/4580-4-0x0000000005B40000-0x0000000005B4A000-memory.dmp

Filesize
40KB

Download
memory/4580-5-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4580-0-0x0000000074FDE000-0x0000000074FDF000-memory.dmp

Filesize
4KB

Download
memory/4580-7-0x0000000006EA0000-0x0000000006EB0000-memory.dmp

Filesize
64KB

Download
memory/4580-8-0x0000000007170000-0x00000000071E6000-memory.dmp

Filesize
472KB

Download
memory/4580-9-0x0000000009820000-0x00000000098BC000-memory.dmp

Filesize
624KB

Download
memory/4580-3-0x0000000005980000-0x0000000005A12000-memory.dmp

Filesize
584KB

Download
memory/4580-12-0x0000000074FD0000-0x0000000075780000-memory.dmp

Filesize
7.7MB

Download
memory/4580-2-0x0000000005E30000-0x00000000063D4000-memory.dmp

Filesize
5.6MB

Download
memory/4580-1-0x0000000000B40000-0x0000000000BF0000-memory.dmp

Filesize
704KB

Download