formbook | d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb

Analysis

max time kernel
146s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-09-2022 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DOC20220914-5678909876556089.exe
Size

936KB
MD5

bfb9abb75108871639ab6341d97677b4
SHA1

f1dff2faef0a0e3e74ffcebb4b6aee8fb512c274
SHA256

d2f322cb15f591ef314eda3cb164f8ab0ca0048f89c8694cf9bc6ca39a2785fb
SHA512

a98430ba24fd3048422b99d1c8fc94f3094b7ec20aea571ad0ab5191f934cf8f6a93f50e3e65e2612204873078f63ce33ab6fd6b4d8bb8a661a1a6a08f4cc49f
SSDEEP

24576:Qlubg3rMXy/fzfEarna8MFeN2ZtZzi10:Q4s3Yi/fIaras4Zzi1

Score

10^/10

formbook c1no rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

c1no

Decoy

NOAZ1GtFnUx1bqjUWmD6

sUBk3CYAoWuQfq3UWmD6

5vwrVl0msDtpEkYt

VtL6sSoIchhMStcj5DxYbm3FBw==

BKjy1ZxyhhuJ2guPWUI=

eAgklPLAE7zgqOmwRqPNOQLXz1Y=

aApC9n9Zp0ZhObwjLLLUAg1cjsx6Lg==

OrLZYLeFBavC1cD5+A==

jJm87eu4hy/QMbYE/wzDRQLXz1Y=

s63OS5RsBKrY3FurpDZXbm3FBw==

hyxwKsePxJNCwwejbEg=

l5667e2vQOkM4hFPE5yA0Q==

wTtVQBT04YkyoNKoN53GFV9m2hpS

+pzWhBnS26FJqiRyZXQrqR1Ow/1B

d/VHx031x5W2

GjhhiKSDZ/1txQejbEg=

nDhRjp5e9JeQiKzm+gqI41hdV5nFhsI=

ws4wtUMZYA1pEkYt

GazXV6Fr6akfcvxEOcbpTTCmMEq7Jg==

2vAOHufF5MT6VdU=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

DOC20220914-5678909876556089.exe

description pid process target process

PID 240 set thread context of 1116 240 DOC20220914-5678909876556089.exe DOC20220914-5678909876556089.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

DOC20220914-5678909876556089.exe

pid process

1116 DOC20220914-5678909876556089.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DOC20220914-5678909876556089.exe

pid process

240 DOC20220914-5678909876556089.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

DOC20220914-5678909876556089.exe

pid process

240 DOC20220914-5678909876556089.exe

description	pid	process	target process
PID 240 set thread context of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe

pid	process
1116	DOC20220914-5678909876556089.exe

pid	process
240	DOC20220914-5678909876556089.exe

pid	process
240	DOC20220914-5678909876556089.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

DOC20220914-5678909876556089.exe

description	pid	process	target process
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe
PID 240 wrote to memory of 1116	240	DOC20220914-5678909876556089.exe	DOC20220914-5678909876556089.exe

C:\Users\Admin\AppData\Local\Temp\DOC20220914-5678909876556089.exe
"C:\Users\Admin\AppData\Local\Temp\DOC20220914-5678909876556089.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:240

C:\Users\Admin\AppData\Local\Temp\DOC20220914-5678909876556089.exe
"C:\Users\Admin\AppData\Local\Temp\DOC20220914-5678909876556089.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/240-54-0x00000000013D0000-0x00000000014BE000-memory.dmp

Filesize
952KB

Download
memory/240-55-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

Filesize
8KB

Download
memory/240-56-0x0000000000470000-0x0000000000486000-memory.dmp

Filesize
88KB

Download
memory/240-57-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/240-58-0x0000000005060000-0x00000000050EE000-memory.dmp

Filesize
568KB

Download
memory/240-59-0x0000000000CA0000-0x0000000000CD4000-memory.dmp

Filesize
208KB

Download
memory/1116-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-64-0x00000000004012B0-mapping.dmp

Download
memory/1116-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1116-68-0x00000000008A0000-0x0000000000BA3000-memory.dmp

Filesize
3.0MB

Download