formbook | 8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-07-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
Size

697KB
MD5

3e04e26d5c74db5d85cda99b11aac28b
SHA1

c7de7504f9930b79f343c3a4dd89ca78ed9dc59e
SHA256

8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f
SHA512

737efcc73dc774c60b00034ffd4e7afa6263e7db9f62f3119868c97eb90fd7869d370020bbefb230b2aca40d85c7724ca28ec99f3348b446e5d1c5539fa5b375
SSDEEP

12288:Kuo6JNf+wnzTiPmj68y0+6bUGUm5OiwM6kLY2oa0WwgOPfz5OVVBHGDS6:jJ9TDj68yj6bYRwtY2oa0YOnlOtm1

Score

10^/10

formbook dy13 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dy13

Decoy

manga-house.com

kjsdhklssk51.xyz

b0ba138.xyz

bt365033.com

ccbsinc.net

mrwine.xyz

nrxkrd527o.xyz

hoshi.social

1912ai.com

serco2020.com

byfchfyr.xyz

imuschestvostorgov.online

austinheafey.com

mrdfa.club

883106.photos

profitablefxmarkets.com

taini00.net

brye.top

ginsm.com

sportglid.com

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Formbook payload 1 IoCs
rat

Processes:

resource yara_rule

behavioral2/memory/3316-11-0x0000000000400000-0x000000000042F000-memory.dmp formbook

resource	yara_rule
behavioral2/memory/3316-11-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

description	pid	process	target process
PID 3128 set thread context of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

pid process

3316 8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
3316 8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

pid	process
3316	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
3316	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

description	pid	process	target process
PID 3128 wrote to memory of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
PID 3128 wrote to memory of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
PID 3128 wrote to memory of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
PID 3128 wrote to memory of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
PID 3128 wrote to memory of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
PID 3128 wrote to memory of 3316	3128	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe	8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe

C:\Users\Admin\AppData\Local\Temp\8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
"C:\Users\Admin\AppData\Local\Temp\8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3128

C:\Users\Admin\AppData\Local\Temp\8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe
"C:\Users\Admin\AppData\Local\Temp\8209a6f8283a09d52c15681a35047db39b499d081f8c843119252b4c72961c4f.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3316

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3128-6-0x00000000064A0000-0x00000000064BA000-memory.dmp

Filesize
104KB

Download
memory/3128-0-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

Filesize
4KB

Download
memory/3128-2-0x00000000051F0000-0x0000000005794000-memory.dmp

Filesize
5.6MB

Download
memory/3128-3-0x0000000004C40000-0x0000000004CD2000-memory.dmp

Filesize
584KB

Download
memory/3128-5-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3128-4-0x0000000004C00000-0x0000000004C0A000-memory.dmp

Filesize
40KB

Download
memory/3128-1-0x0000000000160000-0x0000000000214000-memory.dmp

Filesize
720KB

Download
memory/3128-7-0x0000000006500000-0x0000000006508000-memory.dmp

Filesize
32KB

Download
memory/3128-10-0x0000000010950000-0x00000000109EC000-memory.dmp

Filesize
624KB

Download
memory/3128-9-0x000000000D130000-0x000000000D1A6000-memory.dmp

Filesize
472KB

Download
memory/3128-8-0x0000000006510000-0x000000000651C000-memory.dmp

Filesize
48KB

Download
memory/3128-13-0x0000000074A60000-0x0000000075210000-memory.dmp

Filesize
7.7MB

Download
memory/3316-11-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3316-14-0x0000000001110000-0x000000000145A000-memory.dmp

Filesize
3.3MB

Download