formbook | d9330396040f8b8169fee91c05b6f6a4114c863e78971082faeb1a604adf589f

Analysis

max time kernel
137s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2022 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.10417.exe
Size

843KB
MD5

0254eb57f3e60a44a34117a760d0044c
SHA1

87a774ca772463b5a8ad3f6e5387ff3f25a3d3bb
SHA256

d9330396040f8b8169fee91c05b6f6a4114c863e78971082faeb1a604adf589f
SHA512

8f4ac3fac65992cf01e7d2dc4a1c722a2f67a1bf3e45e9144a0e32bb7623e3fda7aaaa65ff69da0f9528446386c41b6e4cfcd44a688576918975451a22f4dca3
SSDEEP

12288:P/yxHTOPGs+Km2aUqLYLWfqbK7dfIgduHv32bF:PIzOP+KaUqL82qE5uPmbF

Score

10^/10

formbook p94a rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

p94a

Decoy

wishgrove.com

parqueveiculos.com

spiderwebs.online

chulkanadham.com

cdtuan.net

zxazm.com

payment6528832.xyz

fengtaiol.com

bffsmovie.com

aliceseagerfitness.com

garisluruskonsulindo.website

analytical-gutter.net

ahcq8.com

fenyoga.com

ecleptic.cat

conjurecrafts.com

aquaway.date

apenpokkenschoonmaakbedrijf.com

zgramr.top

boweknives.site

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Formbook payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/1944-140-0x0000000000400000-0x000000000042F000-memory.dmp	formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.10417.exe

description	pid	process	target process
PID 2376 set thread context of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.10417.exeSecuriteInfo.com.Win32.PWSX-gen.10417.exe

pid	process
2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
1944	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
1944	SecuriteInfo.com.Win32.PWSX-gen.10417.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.10417.exe

description pid process

Token: SeDebugPrivilege 2376 SecuriteInfo.com.Win32.PWSX-gen.10417.exe

description	pid	process
Token: SeDebugPrivilege	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.10417.exe

description	pid	process	target process
PID 2376 wrote to memory of 1568	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1568	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1568	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe
PID 2376 wrote to memory of 1944	2376	SecuriteInfo.com.Win32.PWSX-gen.10417.exe	SecuriteInfo.com.Win32.PWSX-gen.10417.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2376

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"
2⤵
PID:1568

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.10417.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1944

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1568-138-0x0000000000000000-mapping.dmp

Download
memory/1944-139-0x0000000000000000-mapping.dmp

Download
memory/1944-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1944-141-0x0000000001630000-0x000000000197A000-memory.dmp

Filesize
3.3MB

Download
memory/2376-132-0x0000000000AF0000-0x0000000000BC8000-memory.dmp

Filesize
864KB

Download
memory/2376-133-0x0000000005B50000-0x00000000060F4000-memory.dmp

Filesize
5.6MB

Download
memory/2376-134-0x00000000055A0000-0x0000000005632000-memory.dmp

Filesize
584KB

Download
memory/2376-135-0x0000000005560000-0x000000000556A000-memory.dmp

Filesize
40KB

Download
memory/2376-136-0x0000000009070000-0x000000000910C000-memory.dmp

Filesize
624KB

Download
memory/2376-137-0x0000000009130000-0x0000000009196000-memory.dmp

Filesize
408KB

Download