formbook | 310b4ffa559e06b739ba7b4d7cd12f47286aec7352a8aa5296955f0a7f49b190

Analysis

max time kernel
91s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
06-10-2022 08:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe
Size

960KB
MD5

f3309c43b2bf62602ba5b02e1ad2dc4a
SHA1

367beedcaa104f82626a112d8ffeb58fba7e07cb
SHA256

310b4ffa559e06b739ba7b4d7cd12f47286aec7352a8aa5296955f0a7f49b190
SHA512

a2cf7b4f080203117ded70269476c3e703942df10afccf7a138ee1e1b0212b46246a2147518339b02be943024ca6c652dabb70290831b89e0f60aa0608a89d6b
SSDEEP

12288:9H5nvEeyWvXp6/rcaIdxj42SNqwgxUiWV32ohJ9xtvqeNtVQR/4ve:jvEeVR6zc3j4XSE/3tvhO4ve

Score

10^/10

formbook uymo rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

uymo

Decoy

A4J+j1lFUiMbPgQD0uzpdg==

F3lajp/JwxgpzPZ3bf9zrK0EzWDU/JY=

bOCwjfx/jOF4Las6GFv7+tQ=

9BDZHgUVSa1ypSWjNcPR

S9u+wp+ai+yEW4OWIQ==

wXxiP8BRWDG2JiTw5XA=

VeumNjNg3QeL/qtw

KYxbMI9RU7eqPpEYg1v7+tQ=

zwfU2Vv4NxXzDLy1IWFrDo3iqOoV1KB3

0XQ3wM3oGntH+iTw5XA=

nx7p2XIfYkHv9+Uu+VKx3l41j3mS454=

+BIOmtNni5xbAo5VEZFYQFAw

tkQa0SXOEjV/0yTw5XA=

YOLHv42Us4eMrHCod80dYluXJzNn

HZdsbBNsdAvOq+cr4CaIfg==

YlQ/0dwFQYtd+DXIxzKUlO8kBc9C9A==

mCL+zS69yZ9DyvVMC4399tE/Xk0V1KB3

+tXLkwCl2LyCqaNnalv7+tQ=

yPzM2bjLKPyixsjWSoWe9NI=

KQPQVL5puBHigv/RmyAU0ExD4GDU/JY=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2984 set thread context of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4168	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe
4168	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90
PID 2984 wrote to memory of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90
PID 2984 wrote to memory of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90
PID 2984 wrote to memory of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90
PID 2984 wrote to memory of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90
PID 2984 wrote to memory of 4168	2984	SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe	90

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Tedy.217947.21963.1711.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4168

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2984-132-0x00000000003A0000-0x0000000000490000-memory.dmp

Filesize
960KB

Download
memory/2984-133-0x0000000005500000-0x0000000005AA4000-memory.dmp

Filesize
5.6MB

Download
memory/2984-134-0x0000000004E30000-0x0000000004EC2000-memory.dmp

Filesize
584KB

Download
memory/2984-135-0x0000000004E20000-0x0000000004E2A000-memory.dmp

Filesize
40KB

Download
memory/2984-136-0x00000000087F0000-0x000000000888C000-memory.dmp

Filesize
624KB

Download
memory/2984-137-0x0000000008900000-0x0000000008966000-memory.dmp

Filesize
408KB

Download
memory/4168-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4168-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4168-143-0x0000000001710000-0x0000000001A5A000-memory.dmp

Filesize
3.3MB

Download