formbook | 7d2e3189c62ed4efa06c9f12895f84a4ff63010409d1031d53b0df185c82f087

Analysis

max time kernel
84s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2022 05:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.13734.exe
Size

939KB
MD5

d69d6dd01955b7b8758ade90eb60368b
SHA1

9e8bac5c47e59eadc5b077edfae58cf7516dfe90
SHA256

7d2e3189c62ed4efa06c9f12895f84a4ff63010409d1031d53b0df185c82f087
SHA512

37a1c7eec5c4452ec117c2e5b5a7de7396bafb3ccd94da3330f5593b3b095382026beb982b7245e4bd0151a9c9f31937a356e73fa851ff9479b1ab4198916ad3
SSDEEP

12288:XOL77AQapF8NJbjCkpbRisO/gJdvo+wuQ3dT78HpD:XOfEWNJbOkvisbNwuAP8HpD

Score

10^/10

formbook etfh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

etfh

Decoy

7GZ6EDICLTxRlA==

PLtlQESN4qcH

Hl1Kaj5k/IbeqjD2BbfAIAg=

IGIFzYb9FfCCzV9l

i6XHgFSN4qcH

OJwysQEOtacTgw==

sA02ZDlg/cQuq8OHbjJrZj5hZfBW2hA=

4RW/U8ADLezCD/fcwg==

3B8SJMhHZuG8DjTuj7wqNA==

YYEwzTC4Qw4gaIUlH4jx

Ues8V/VDLTxRlA==

xA958bGoMrQ=

YKOQqIa0Qwqq9IR2

VoV5nnq7XeY/BZmK2BtWmyiCrQ==

O/cKZyK2Wdw386OK9NobskQM

k50X1qTOYjVFGrU=

+T65goQJnSnD0sqxeMT78ktXVOho4BQ=

uJapUOj3EKOK0BjGpf4ePA==

QNs2VScpggMYnsh0

Z7XOfidNLTxRlA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4800 set thread context of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1868	SecuriteInfo.com.Win32.PWSX-gen.13734.exe
1868	SecuriteInfo.com.Win32.PWSX-gen.13734.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92
PID 4800 wrote to memory of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92
PID 4800 wrote to memory of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92
PID 4800 wrote to memory of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92
PID 4800 wrote to memory of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92
PID 4800 wrote to memory of 1868	4800	SecuriteInfo.com.Win32.PWSX-gen.13734.exe	92

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13734.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13734.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13734.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.13734.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1868

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1868-139-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/1868-140-0x0000000001850000-0x0000000001B9A000-memory.dmp

Filesize
3.3MB

Download
memory/4800-132-0x0000000000690000-0x0000000000780000-memory.dmp

Filesize
960KB

Download
memory/4800-133-0x0000000005630000-0x0000000005BD4000-memory.dmp

Filesize
5.6MB

Download
memory/4800-134-0x0000000005130000-0x00000000051C2000-memory.dmp

Filesize
584KB

Download
memory/4800-135-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/4800-136-0x0000000009060000-0x00000000090FC000-memory.dmp

Filesize
624KB

Download
memory/4800-137-0x0000000009100000-0x0000000009166000-memory.dmp

Filesize
408KB

Download