formbook | 148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64a5e155baded9185ecd1fa9946c13aa.exe
Size

795KB
MD5

64a5e155baded9185ecd1fa9946c13aa
SHA1

4e7c62d7d5b1353bfc0e0220ae89e5409201bc70
SHA256

148da9a63f027b2e7625f0b82b42bc795737b55c46d040af508fdcea2bccad98
SHA512

aef9499d737b198c45b1c88968bd871a85a0c16fe284f5a4477444580db158db3912db66f8a353b21a0ad727c09fcb2741e6c578c6b8d6179c089c5d59977985
SSDEEP

12288:6+S+SFXRuTwyC6flXB3pAJFvkP5UfazdkZRavD7R5GfYG2ucIjkM:XwRuljp0v6U0SZGhGVC

Score

10^/10

formbook na10 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

na10

Decoy

tetheus.com

ventlikeyoumeanit.com

tintbliss.com

rinabet357.com

sapphireboutiqueusa.com

abc8bet6.com

xzcn3i7jb13cqei.buzz

pinktravelsnagpur.com

bt365038.com

rtpbossujang303.shop

osthirmaker.com

thelonelyteacup.com

rlc2019.com

couverture-charpente.com

productivagc.com

defendercarcare.com

abcentixdigital.com

petco.ltd

oypivh.top

micro.guru

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral1/memory/1880-14-0x0000000000400000-0x000000000042F000-memory.dmp formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

64a5e155baded9185ecd1fa9946c13aa.exe

description pid process target process

PID 2372 set thread context of 1880 2372 64a5e155baded9185ecd1fa9946c13aa.exe 64a5e155baded9185ecd1fa9946c13aa.exe
Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

64a5e155baded9185ecd1fa9946c13aa.exe64a5e155baded9185ecd1fa9946c13aa.exe

pid process

2372 64a5e155baded9185ecd1fa9946c13aa.exe
2372 64a5e155baded9185ecd1fa9946c13aa.exe
1880 64a5e155baded9185ecd1fa9946c13aa.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

64a5e155baded9185ecd1fa9946c13aa.exe

description pid process

Token: SeDebugPrivilege 2372 64a5e155baded9185ecd1fa9946c13aa.exe

resource	yara_rule
behavioral1/memory/1880-14-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

description	pid	process	target process
PID 2372 set thread context of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe

pid	process
2372	64a5e155baded9185ecd1fa9946c13aa.exe
2372	64a5e155baded9185ecd1fa9946c13aa.exe
1880	64a5e155baded9185ecd1fa9946c13aa.exe

description	pid	process
Token: SeDebugPrivilege	2372	64a5e155baded9185ecd1fa9946c13aa.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

64a5e155baded9185ecd1fa9946c13aa.exe

description	pid	process	target process
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe
PID 2372 wrote to memory of 1880	2372	64a5e155baded9185ecd1fa9946c13aa.exe	64a5e155baded9185ecd1fa9946c13aa.exe

C:\Users\Admin\AppData\Local\Temp\64a5e155baded9185ecd1fa9946c13aa.exe
"C:\Users\Admin\AppData\Local\Temp\64a5e155baded9185ecd1fa9946c13aa.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372

C:\Users\Admin\AppData\Local\Temp\64a5e155baded9185ecd1fa9946c13aa.exe
"C:\Users\Admin\AppData\Local\Temp\64a5e155baded9185ecd1fa9946c13aa.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1880

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1880-6-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-16-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/1880-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1880-10-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/1880-8-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2372-3-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-5-0x0000000000330000-0x0000000000336000-memory.dmp

Filesize
24KB

Download
memory/2372-4-0x0000000000360000-0x000000000037A000-memory.dmp

Filesize
104KB

Download
memory/2372-0-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2372-12-0x000000007469E000-0x000000007469F000-memory.dmp

Filesize
4KB

Download
memory/2372-13-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-2-0x0000000004360000-0x00000000043A4000-memory.dmp

Filesize
272KB

Download
memory/2372-15-0x0000000074690000-0x0000000074D7E000-memory.dmp

Filesize
6.9MB

Download
memory/2372-1-0x0000000000950000-0x0000000000A1C000-memory.dmp

Filesize
816KB

Download