formbook | 885d3612f1d5f7b8067b8686d563985039f9adfc335950136ec6f42f77580d34

Analysis

max time kernel
54s
max time network
52s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
19/09/2022, 11:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.20180.exe
Size

1006KB
MD5

f0aae9cacd45675b577d06da5bf8b9b8
SHA1

ee821c44597dddb716cb9e0a5e52306dc6b358f1
SHA256

885d3612f1d5f7b8067b8686d563985039f9adfc335950136ec6f42f77580d34
SHA512

86c044d89d5f8dd77158a2c772bfacc20023d527a2231dad67cec839f84d83fa2a3cd4b3132726597e09ba4d9284f9c89bb80b71600ebe1d1a84fb96ee0156bf
SSDEEP

24576:p4JfDOamORbShEFRl3sPNX6KKKKKKfj6:p89i4l3sPB6KKKKKKfj6

Score

10^/10

formbook k056 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k056

Decoy

I6ZtzMO4tX+tliE+qt4=

qXwc4gD7yggogn987j5wQsZnc+OhAVE=

nwnBB5b4yZzLwpZtMajutbGT

OPq8wCLHoBNRnmK+wxBDDw==

bTzuol7JkFaHt0Yjm9w=

RVb6jJxpFYSv68mTCxmjAR9EpZc=

gJYxuLCQJ8jpICAakIj5TRIz5d5nAg==

YcNluGLPr6riqCE+qt4=

7tJ2VmdlX7vg97aPDEVtyjjliIg=

oogs8ATrvjR2wK2SEURppMapY0aGKC/Z

rZNRJ05YUdcJNQHYg35h1DjliIg=

fKhsEh/trUJtfzCdkKnAf7g=

RErWQtoPxr3ZgDwd53Sg8K4FuyAbCg==

WmD0j56Vdcb7lWh/svwB

O03oaGRYI2eaNCKTl1KYpv9vXA==

mx7bLs05CuYL16R6NqzutbGT

kNZrspSqg1uq7us=

NyrglqmvhbYmdlnR0J0J

byKycKqcY9f9aQaIyg==

4apJHpfrlofCi0osmHfCAXkglo4=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 960 set thread context of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
592	SecuriteInfo.com.Win32.PWSX-gen.20180.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27
PID 960 wrote to memory of 592	960	SecuriteInfo.com.Win32.PWSX-gen.20180.exe	27

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.20180.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.20180.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:960
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.20180.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.20180.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/592-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/592-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/592-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/592-65-0x0000000000A20000-0x0000000000D23000-memory.dmp

Filesize
3.0MB

Download
memory/960-54-0x0000000000920000-0x0000000000A20000-memory.dmp

Filesize
1024KB

Download
memory/960-55-0x00000000757A1000-0x00000000757A3000-memory.dmp

Filesize
8KB

Download
memory/960-56-0x0000000000620000-0x0000000000636000-memory.dmp

Filesize
88KB

Download
memory/960-57-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/960-58-0x00000000050D0000-0x000000000515C000-memory.dmp

Filesize
560KB

Download
memory/960-59-0x00000000022B0000-0x00000000022E2000-memory.dmp

Filesize
200KB

Download