formbook | 74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d

Analysis

max time kernel
77s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
03-10-2022 08:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
Size

1.0MB
MD5

922d8a7ed88d75b8cc2b971d0e464044
SHA1

7360809341a6d72704ef85a3abbbf914ff5f6c4a
SHA256

74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d
SHA512

a5ea853d5d87b77131c1d9f165f50a7295fc190aeb69887cbce7e19c9e0fca930fccfb0428b583fdc2065c5c8851878e02348f50f7f69a20e213b4d5d23d9888
SSDEEP

24576:vq0o170veaGP3QerQrSKs9dTGL1y48l9omDW5wbJ:vqTpAaoecr7XP0imjb

Score

10^/10

formbook c1no rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

c1no

Decoy

NOAZ1GtFnUx1bqjUWmD6

sUBk3CYAoWuQfq3UWmD6

5vwrVl0msDtpEkYt

VtL6sSoIchhMStcj5DxYbm3FBw==

BKjy1ZxyhhuJ2guPWUI=

eAgklPLAE7zgqOmwRqPNOQLXz1Y=

aApC9n9Zp0ZhObwjLLLUAg1cjsx6Lg==

OrLZYLeFBavC1cD5+A==

jJm87eu4hy/QMbYE/wzDRQLXz1Y=

s63OS5RsBKrY3FurpDZXbm3FBw==

hyxwKsePxJNCwwejbEg=

l5667e2vQOkM4hFPE5yA0Q==

wTtVQBT04YkyoNKoN53GFV9m2hpS

+pzWhBnS26FJqiRyZXQrqR1Ow/1B

d/VHx031x5W2

GjhhiKSDZ/1txQejbEg=

nDhRjp5e9JeQiKzm+gqI41hdV5nFhsI=

ws4wtUMZYA1pEkYt

GazXV6Fr6akfcvxEOcbpTTCmMEq7Jg==

2vAOHufF5MT6VdU=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe

description	pid	process	target process
PID 4824 set thread context of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe

pid	process
4324	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
4324	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe

description	pid	process	target process
PID 4824 wrote to memory of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
PID 4824 wrote to memory of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
PID 4824 wrote to memory of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
PID 4824 wrote to memory of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
PID 4824 wrote to memory of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
PID 4824 wrote to memory of 4324	4824	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe	74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe

C:\Users\Admin\AppData\Local\Temp\74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
"C:\Users\Admin\AppData\Local\Temp\74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4824

C:\Users\Admin\AppData\Local\Temp\74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe
"C:\Users\Admin\AppData\Local\Temp\74489f3a31c0ade073151f7bb046d245e1ab29a436a5b93b1fe42b353f00828d.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4324

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4324-138-0x0000000000000000-mapping.dmp

Download
memory/4324-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4324-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4324-143-0x00000000014D0000-0x000000000181A000-memory.dmp

Filesize
3.3MB

Download
memory/4824-132-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/4824-133-0x00000000059A0000-0x0000000005F44000-memory.dmp

Filesize
5.6MB

Download
memory/4824-134-0x0000000005490000-0x0000000005522000-memory.dmp

Filesize
584KB

Download
memory/4824-135-0x0000000005410000-0x000000000541A000-memory.dmp

Filesize
40KB

Download
memory/4824-136-0x0000000009230000-0x00000000092CC000-memory.dmp

Filesize
624KB

Download
memory/4824-137-0x00000000092D0000-0x0000000009336000-memory.dmp

Filesize
408KB

Download