formbook | 38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee

Analysis

max time kernel
45s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
10-10-2022 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
Size

917KB
MD5

f25e3594aba0fdc9c3d98043bedd16c6
SHA1

bcf633e24eff060782aaf7dd6e5a1fc61796d586
SHA256

38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee
SHA512

da43b1977800eee7cfb046d536fc1e7b804791dace90996be5e41f29c66b31d14e37e3a98626357a8706a234ba378617a49facae75c811405a1b44a5cd56d6d2
SSDEEP

12288:kYRcrWWvUZ4tlgD9yvR+ZBKm6M4qHKuw3BMUhpU1xo5Mik4EhBHglt:kY2vUZ4tlA9URmkm6dqqV3ecpUL

Score

10^/10

formbook vez2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

vez2

Decoy

GCFh2WRY8h1RjEXapwS7Ck9LsYM=

Kw/ixUjrf6eR4l/24Q==

UU+jUhRwjrFC148Z

QbmEkwuT9vV0auS9f1g=

X/Bx/B8ftQ==

VkMUQmSy0OalCood8g==

BNLY7KKp9TVIQOS9f1g=

4T0IQw/gaKqntY81D2bTIzrbjw==

hVWRNvRVcKktVh2ymZKRgeSyJ0RoIbo=

Fef69GXN5DS86bNZQiZFu/q98os=

28+h068jMHplsKGaJQxI

5kXPNMQEFGjp6MuaJQxI

3U8XDYYOlJwvdF0f4w==

XVqaJqutwWlhek3SahJ4hg==

8g9h2U1zhLBC148Z

Q8NMHfa/7y+yrZpDEgLiBZBvwVt9Vvm5

jXeQnSyl0RXqI/ulQvZ9jA==

3cHSwlLqCBnkOQy9jXZ7AiKZ

6PU7tS0owgIcNy/fahJ4hg==

WVMuelelvwPA9XaFQtUSN8o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1752 set thread context of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1648	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28
PID 1752 wrote to memory of 1648	1752	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	28

C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
"C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
  "C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1648

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1648-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1648-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1648-68-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1752-55-0x0000000076261000-0x0000000076263000-memory.dmp

Filesize
8KB

Download
memory/1752-56-0x0000000000220000-0x0000000000234000-memory.dmp

Filesize
80KB

Download
memory/1752-57-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1752-58-0x0000000005820000-0x00000000058B0000-memory.dmp

Filesize
576KB

Download
memory/1752-59-0x0000000000B60000-0x0000000000B94000-memory.dmp

Filesize
208KB

Download
memory/1752-54-0x0000000000F50000-0x000000000103A000-memory.dmp

Filesize
936KB

Download