formbook | 2e6b14e41b3f871355635c7427cb1531a9b61a37e137f90a590d21eab7648f2f

Analysis

max time kernel
90s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
24/09/2022, 10:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58f0875c2e801df99d7524daf4bc8a41.exe
Size

944KB
MD5

58f0875c2e801df99d7524daf4bc8a41
SHA1

3094c8edaa9bdedc61a7e137b00506759e5d64af
SHA256

2e6b14e41b3f871355635c7427cb1531a9b61a37e137f90a590d21eab7648f2f
SHA512

bdc93702fb04217709a9416e42e9fdc8d23be7a3e2d66c1ba14bb75e09b5ec662a35cd52da99f6764a4d4798a82f056fd0bb2afcf7b5027dd4b6bca514f21b75
SSDEEP

12288:ghLuyAHif1kFXP7mS+dC5RYb4ayQ4iJVftU/x43Cbr3Y3jEbGFv3e:ghLuyyqWAC5+xyn0WxuAY88

Score

10^/10

formbook dmpz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

dmpz

Decoy

g6nVYcuLqoVCBunEXBXJ6w3fWQ==

ZcvMXCXftOLl

7llPyUdY6SDW+0jFjBhH6w3fWQ==

oNlI65OL5t6RGejebRdKsAjXGtsK8A==

kU64X5biR3AzyCEnlw==

dHWevaYxywS6e4PXkxhTtP/UGtsK8A==

tucfwSpD6EgygeItq7/COFAbH9E=

tSbx9dJa7CjaS9i1c3d4ImUJ

IlWSNsSPqt6mcQ3d

e0GDBU2jsOzL5OKBIzg=

N83IzuJUqu7g3+KBIzg=

nbC4xt55DmBKL0xV4GLW6w3fWQ==

Tk99naENrAzQj1piGbcl

6043tio61grD5OKBIzg=

HvXh6PMok+vZE1qjJUJClgSk+PAr1skh

JDtEXxkexjYzc+Bwc3Yt

sl+jPuCtSKWIyeKBIzg=

+eXvDCFojnwd9P79cBrQ6w3fWQ==

UfksRCdag5cHMXc=

7OW2uH1YngQA92VbLtpaRLmO/5JOL6k=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2672 set thread context of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	58f0875c2e801df99d7524daf4bc8a41.exe
228	58f0875c2e801df99d7524daf4bc8a41.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2672 wrote to memory of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88
PID 2672 wrote to memory of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88
PID 2672 wrote to memory of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88
PID 2672 wrote to memory of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88
PID 2672 wrote to memory of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88
PID 2672 wrote to memory of 228	2672	58f0875c2e801df99d7524daf4bc8a41.exe	88

C:\Users\Admin\AppData\Local\Temp\58f0875c2e801df99d7524daf4bc8a41.exe
"C:\Users\Admin\AppData\Local\Temp\58f0875c2e801df99d7524daf4bc8a41.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\58f0875c2e801df99d7524daf4bc8a41.exe
  "C:\Users\Admin\AppData\Local\Temp\58f0875c2e801df99d7524daf4bc8a41.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:228

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/228-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/228-143-0x0000000001210000-0x000000000155A000-memory.dmp

Filesize
3.3MB

Download
memory/2672-132-0x0000000000950000-0x0000000000A42000-memory.dmp

Filesize
968KB

Download
memory/2672-133-0x00000000058A0000-0x0000000005E44000-memory.dmp

Filesize
5.6MB

Download
memory/2672-134-0x00000000052F0000-0x0000000005382000-memory.dmp

Filesize
584KB

Download
memory/2672-135-0x0000000005440000-0x000000000544A000-memory.dmp

Filesize
40KB

Download
memory/2672-136-0x0000000009600000-0x000000000969C000-memory.dmp

Filesize
624KB

Download
memory/2672-137-0x00000000096A0000-0x0000000009706000-memory.dmp

Filesize
408KB

Download