formbook | 0eaf8fb227e3199f24985dca89e3c7a8e0138251456c94b12209120db4647be1

Analysis

max time kernel
130s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
10-10-2022 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
Size

1.1MB
MD5

ab21def9360038cafa353972417b0527
SHA1

877b7890ee8aed3e4ba3aefb0723a1ecb41ff27e
SHA256

10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c
SHA512

7dbf424263a6d4f93ffc504322ef7e4e650a019ab71181444241b1aff6e73021b02e2956ddd4b27e75aa970f83de689685ac9c6ca96f9f3a7a92388430f0fa29
SSDEEP

12288:Usc1hw4e/ehrrzpaEKs0k5yQa2wsUyrjRhxHCQyuVR1hw4e/Ugi:J4LJUEKBDZyRmKG4T

Score

10^/10

formbook xloader 6hsc loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

6hsc

Decoy

6cvqXARAGlgdnnbXYQ==

Mi4yZ8FULou6w26U2FDnEbA=

Xmx0bJmRZGL+O0RFfLFNN9AMdwn+

B0WNhyl4T2gWBIqE1VDnEbA=

DI2G9/sG/v6YIh42aQ==

0NTaAl90ZWYiGV/bT4U=

DWCuXrL23Cc3xdIG/0dT

fTbzys/dddqOVQ==

8ClrDFi3i+asgxBOnguhlQ==

YjOkWLSpXeqrXw==

gAIov8vbtv8vr8/tFSXvDULL7thokKA=

xMW2qsXay7xNkonR/zxPo939

xc38fRlgO2opnnbXYQ==

+o31vQlURJKmLUWfHlMq0Gjs

z6GwWxCSKJLJ

2pnQ5evpehAxUt4hd6pq9X71

2CmXDSU2DTmDR+Q=

WV9ScxFQID1V2glQnguhlQ==

L8UDlK65h9wJ7Zeb3VDnEbA=

Agb4LF2bRcDX

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/3220-139-0x0000000000400000-0x000000000042D000-memory.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe

description	pid	process	target process
PID 1760 set thread context of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe

pid	process
3220	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
3220	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe

description	pid	process	target process
PID 1760 wrote to memory of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
PID 1760 wrote to memory of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
PID 1760 wrote to memory of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
PID 1760 wrote to memory of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
PID 1760 wrote to memory of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
PID 1760 wrote to memory of 3220	1760	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe	10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe

C:\Users\Admin\AppData\Local\Temp\10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
"C:\Users\Admin\AppData\Local\Temp\10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1760

C:\Users\Admin\AppData\Local\Temp\10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe
"C:\Users\Admin\AppData\Local\Temp\10503ccee19c440f294f4e4833b8df43f2f8f4620f4af3f01dd0a74b11fed33c.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3220

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-132-0x0000000000590000-0x00000000006AA000-memory.dmp

Filesize
1.1MB

Download
memory/1760-133-0x00000000053B0000-0x0000000005954000-memory.dmp

Filesize
5.6MB

Download
memory/1760-134-0x0000000004F00000-0x0000000004F92000-memory.dmp

Filesize
584KB

Download
memory/1760-135-0x00000000050D0000-0x00000000050DA000-memory.dmp

Filesize
40KB

Download
memory/1760-136-0x00000000095B0000-0x000000000964C000-memory.dmp

Filesize
624KB

Download
memory/1760-137-0x0000000009510000-0x0000000009576000-memory.dmp

Filesize
408KB

Download
memory/3220-138-0x0000000000000000-mapping.dmp

Download
memory/3220-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3220-140-0x0000000001640000-0x000000000198A000-memory.dmp

Filesize
3.3MB

Download