formbook | f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 11:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
Size

822KB
MD5

3584af4c7ff3061dc605bfc0de9d478d
SHA1

c503adf44637ac957da9cae59dd096253ab4b195
SHA256

f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482
SHA512

2efa424e30bb3dd04149b214da74073403b5214c96259d0155819b1897bc3006ee3b1e58cbf1564e4a555e72f0cbf9aa3b54317cdcbd81079af18a434480eb14
SSDEEP

12288:LSC+LolWHgwDh75VhQKLpSiro7BvE1lhBLW+EcULD:yLolWAwDh75Yidro7hE7h2

Score

10^/10

formbook cqd8 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

cqd8

Decoy

9zPItsSBQPthH0B1

iyz2ugC7TUMEaZEDDTNIzw==

uVc25zCFO03zbYzHxXLElk5HHccFoes=

RYDZw1su7yszucXjwqtgrz1tSccFoes=

AiB+KfBdDLRFs8sOAsmAllKZeg==

w5T7/Y1lNGBeMdKkKNl8tUl3fTWjlURG

mcIHqPCaEavSyg==

YA7dyN6xKf1MKJa/RA==

Dt789IRVd/fO8FeQNOiV3g==

jYfu3dS4b/1OL59exnPPEo4=

SjyOSKD6lRhpWwUmMwE8ncB1KOg=

JIT782/TaO41DXw3hYJa1g==

uT4u7SwA+3yA/iCo0O7tHyeffA==

/gJzPfngDySzwndmyHPPEo4=

+Um8wD7b9bCQ8A9cK4Nl1oA=

RaikVqx5ozxW3vd6khgIHsDMgKrv

hyYEyRMIEJ8WdnFePeLgHyeffA==

bCov6raFJ30odm5fJQQ=

1rMMrXrTf7OZqyLVM708wZ0=

U4nspOC6sJ3et2I=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

description	pid	process	target process
PID 2032 set thread context of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

pid process

1352 f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

pid	process
1352	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

description	pid	process	target process
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
PID 2032 wrote to memory of 1352	2032	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe	f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe

C:\Users\Admin\AppData\Local\Temp\f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
"C:\Users\Admin\AppData\Local\Temp\f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2032

C:\Users\Admin\AppData\Local\Temp\f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe
"C:\Users\Admin\AppData\Local\Temp\f76f5834e3f530f51170304bbfd84fbbafc93a063dd418c6c8d87e4c6669f482.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1352

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1352-64-0x00000000004012B0-mapping.dmp

Download
memory/1352-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1352-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1352-68-0x0000000000990000-0x0000000000C93000-memory.dmp

Filesize
3.0MB

Download
memory/2032-55-0x00000000766D1000-0x00000000766D3000-memory.dmp

Filesize
8KB

Download
memory/2032-56-0x0000000000620000-0x0000000000634000-memory.dmp

Filesize
80KB

Download
memory/2032-57-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2032-58-0x0000000007F50000-0x0000000007FE0000-memory.dmp

Filesize
576KB

Download
memory/2032-59-0x0000000004130000-0x0000000004164000-memory.dmp

Filesize
208KB

Download
memory/2032-54-0x0000000000080000-0x0000000000154000-memory.dmp

Filesize
848KB

Download