formbook | 7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b

Analysis

max time kernel
51s
max time network
52s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

607868824f841ff4b6e24e997228d10d.exe
Size

614KB
MD5

607868824f841ff4b6e24e997228d10d
SHA1

76a91ee65551d7babf8799bbecd9e78c44f47787
SHA256

7392b6a710583060d7f5bd8a3a7573fa0f278a543f961057fec04445d017de3b
SHA512

99f856165bcdfeaf6ef3e9f34c9d88cb30e3467f238eef4489ade96024d57d50dd002da63e77dfeb82458b084a1535a7392ac159711337b8694e75822033ebc8
SSDEEP

12288:LajzneBoLmk8bLq4xKNhZAb2drAJuU6ljqdLGtierEWhuV:2jznfL/qLxK7ZAbWAJJ6lGdLGtierEJV

Score

10^/10

formbook btrd rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

btrd

Decoy

everslane.com

prairieviewelectric.online

dszvhgd.com

papamuch.com

8129k.vip

jeffreestar.gold

bestguestrentals.com

nvzhuang1.net

anangtoto.com

yxfgor.top

practicalpoppers.com

thebestanglephotography.online

koormm.top

criika.net

audioflow.online

380747.net

jiuguanwang.net

bloxequities.com

v321c.com

sugar.monster

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/1936-9-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

607868824f841ff4b6e24e997228d10d.exe

description pid process target process

PID 5116 set thread context of 1936 5116 607868824f841ff4b6e24e997228d10d.exe 607868824f841ff4b6e24e997228d10d.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

607868824f841ff4b6e24e997228d10d.exe

pid process

1936 607868824f841ff4b6e24e997228d10d.exe
1936 607868824f841ff4b6e24e997228d10d.exe

resource	yara_rule
behavioral2/memory/1936-9-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

description	pid	process	target process
PID 5116 set thread context of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe

pid	process
1936	607868824f841ff4b6e24e997228d10d.exe
1936	607868824f841ff4b6e24e997228d10d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

607868824f841ff4b6e24e997228d10d.exe

description	pid	process	target process
PID 5116 wrote to memory of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe
PID 5116 wrote to memory of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe
PID 5116 wrote to memory of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe
PID 5116 wrote to memory of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe
PID 5116 wrote to memory of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe
PID 5116 wrote to memory of 1936	5116	607868824f841ff4b6e24e997228d10d.exe	607868824f841ff4b6e24e997228d10d.exe

C:\Users\Admin\AppData\Local\Temp\607868824f841ff4b6e24e997228d10d.exe
"C:\Users\Admin\AppData\Local\Temp\607868824f841ff4b6e24e997228d10d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5116

C:\Users\Admin\AppData\Local\Temp\607868824f841ff4b6e24e997228d10d.exe
"C:\Users\Admin\AppData\Local\Temp\607868824f841ff4b6e24e997228d10d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1936

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1936-9-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1936-10-0x0000000001750000-0x0000000001A9A000-memory.dmp

Filesize
3.3MB

Download
memory/5116-0-0x0000000074CBE000-0x0000000074CBF000-memory.dmp

Filesize
4KB

Download
memory/5116-1-0x0000000000650000-0x00000000006F0000-memory.dmp

Filesize
640KB

Download
memory/5116-2-0x00000000057B0000-0x0000000005D54000-memory.dmp

Filesize
5.6MB

Download
memory/5116-3-0x00000000050E0000-0x0000000005172000-memory.dmp

Filesize
584KB

Download
memory/5116-4-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/5116-6-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download
memory/5116-5-0x0000000005340000-0x00000000053A2000-memory.dmp

Filesize
392KB

Download
memory/5116-7-0x0000000005450000-0x00000000054EC000-memory.dmp

Filesize
624KB

Download
memory/5116-8-0x00000000053A0000-0x00000000053A8000-memory.dmp

Filesize
32KB

Download
memory/5116-12-0x0000000074CB0000-0x0000000075460000-memory.dmp

Filesize
7.7MB

Download