formbook | 38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee

Analysis

max time kernel
88s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
10/10/2022, 11:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
Size

917KB
MD5

f25e3594aba0fdc9c3d98043bedd16c6
SHA1

bcf633e24eff060782aaf7dd6e5a1fc61796d586
SHA256

38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee
SHA512

da43b1977800eee7cfb046d536fc1e7b804791dace90996be5e41f29c66b31d14e37e3a98626357a8706a234ba378617a49facae75c811405a1b44a5cd56d6d2
SSDEEP

12288:kYRcrWWvUZ4tlgD9yvR+ZBKm6M4qHKuw3BMUhpU1xo5Mik4EhBHglt:kY2vUZ4tlA9URmkm6dqqV3ecpUL

Score

10^/10

formbook vez2 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

vez2

Decoy

GCFh2WRY8h1RjEXapwS7Ck9LsYM=

Kw/ixUjrf6eR4l/24Q==

UU+jUhRwjrFC148Z

QbmEkwuT9vV0auS9f1g=

X/Bx/B8ftQ==

VkMUQmSy0OalCood8g==

BNLY7KKp9TVIQOS9f1g=

4T0IQw/gaKqntY81D2bTIzrbjw==

hVWRNvRVcKktVh2ymZKRgeSyJ0RoIbo=

Fef69GXN5DS86bNZQiZFu/q98os=

28+h068jMHplsKGaJQxI

5kXPNMQEFGjp6MuaJQxI

3U8XDYYOlJwvdF0f4w==

XVqaJqutwWlhek3SahJ4hg==

8g9h2U1zhLBC148Z

Q8NMHfa/7y+yrZpDEgLiBZBvwVt9Vvm5

jXeQnSyl0RXqI/ulQvZ9jA==

3cHSwlLqCBnkOQy9jXZ7AiKZ

6PU7tS0owgIcNy/fahJ4hg==

WVMuelelvwPA9XaFQtUSN8o=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4756 set thread context of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3492	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
3492	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4756 wrote to memory of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93
PID 4756 wrote to memory of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93
PID 4756 wrote to memory of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93
PID 4756 wrote to memory of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93
PID 4756 wrote to memory of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93
PID 4756 wrote to memory of 3492	4756	38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe	93

C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
"C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe
  "C:\Users\Admin\AppData\Local\Temp\38611cbec59d31636dfa80e39146bc9c96d3515fbafd9ea16f7392bdfeee69ee.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3492-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3492-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3492-143-0x0000000001880000-0x0000000001BCA000-memory.dmp

Filesize
3.3MB

Download
memory/4756-132-0x0000000000010000-0x00000000000FA000-memory.dmp

Filesize
936KB

Download
memory/4756-133-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/4756-134-0x0000000004AF0000-0x0000000004B82000-memory.dmp

Filesize
584KB

Download
memory/4756-135-0x0000000004A90000-0x0000000004A9A000-memory.dmp

Filesize
40KB

Download
memory/4756-136-0x00000000071C0000-0x000000000725C000-memory.dmp

Filesize
624KB

Download
memory/4756-137-0x0000000007360000-0x00000000073C6000-memory.dmp

Filesize
408KB

Download