formbook | f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839

Resubmissions

20-06-2024 08:53

240620-ktnxwstajj 10

12-06-2024 02:32

240612-c1j9aaygnn 10

Analysis

max time kernel
51s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20-06-2024 08:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
Size

656KB
MD5

58683f82a5c6a4b53e5eea6e3d2df375
SHA1

5781f6d4918dfb0260444dcbaf040dee3ffc0319
SHA256

f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839
SHA512

df9e89ad721ccfbb730bf82aa67d07697358910dbb401457f66e344b0c74c59ca36c12bfb6e829243fcb92a7f28c23a6aa13b24a05ccea2be55769cfaf795611
SSDEEP

12288:/aCR5leZlNkbMvoHsUjsKZN5eJL/LaG2GcZO6EoLNSB2dC:i+erGMwMf8neJL/+GK3d

Score

10^/10

formbook 38gc rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

38gc

Decoy

fgoz3kry51.asia

vanishingacthairremoval.com

onlinelearningsandbox.com

feluca-egypt.com

goforsourcing.com

hairmadeperfect.com

brockspaydayearners.com

vintagetoj.com

tjandthecampers.com

emkanelajiehes.com

bestundersinkwaterfilter.com

proatta777.com

satuslot.beauty

nicolesbodybutter.com

montecarlogallery.com

homeautomation.one

cx-n1.ink

spennys.casa

gaozgn.cfd

hakajimai.online

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/3824-10-0x0000000000400000-0x000000000042F000-memory.dmp formbook

resource	yara_rule
behavioral2/memory/3824-10-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

description	pid	process	target process
PID 3240 set thread context of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

pid process

3824 f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
3824 f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

pid	process
3824	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
3824	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

description	pid	process	target process
PID 3240 wrote to memory of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
PID 3240 wrote to memory of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
PID 3240 wrote to memory of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
PID 3240 wrote to memory of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
PID 3240 wrote to memory of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
PID 3240 wrote to memory of 3824	3240	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe	f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe

C:\Users\Admin\AppData\Local\Temp\f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
"C:\Users\Admin\AppData\Local\Temp\f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3240

C:\Users\Admin\AppData\Local\Temp\f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe
"C:\Users\Admin\AppData\Local\Temp\f1f3c884481aea76a89cfc659e509789e243226118ee103c76dafd76d73aa839.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3824

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3240-6-0x0000000005C40000-0x0000000005C62000-memory.dmp

Filesize
136KB

Download
memory/3240-0-0x00000000747AE000-0x00000000747AF000-memory.dmp

Filesize
4KB

Download
memory/3240-2-0x0000000005C80000-0x0000000006224000-memory.dmp

Filesize
5.6MB

Download
memory/3240-3-0x00000000056D0000-0x0000000005762000-memory.dmp

Filesize
584KB

Download
memory/3240-4-0x0000000005670000-0x000000000567A000-memory.dmp

Filesize
40KB

Download
memory/3240-5-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/3240-1-0x0000000000BD0000-0x0000000000C78000-memory.dmp

Filesize
672KB

Download
memory/3240-7-0x0000000005910000-0x0000000005920000-memory.dmp

Filesize
64KB

Download
memory/3240-12-0x00000000747A0000-0x0000000074F50000-memory.dmp

Filesize
7.7MB

Download
memory/3240-9-0x00000000082C0000-0x000000000835C000-memory.dmp

Filesize
624KB

Download
memory/3240-8-0x0000000006AA0000-0x0000000006B16000-memory.dmp

Filesize
472KB

Download
memory/3824-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3824-13-0x0000000001AE0000-0x0000000001E2A000-memory.dmp

Filesize
3.3MB

Download
memory/3824-14-0x0000000001AE0000-0x0000000001E2A000-memory.dmp

Filesize
3.3MB

Download