formbook | 959b7b3c7962cbd8e88c0f342f370258244ab2a396ebd6abf26389020baf9a4c

Analysis

max time kernel
56s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
11-10-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
Size

1.2MB
MD5

b873e0441c0ed5a134eb54f1fa7615fb
SHA1

728296c91b19720e6b1d2a848e4172632ac88b08
SHA256

959b7b3c7962cbd8e88c0f342f370258244ab2a396ebd6abf26389020baf9a4c
SHA512

903a24c20efeccc738ced4c4099ae4b22a555d2f27c1e196f8141cc6a5087b7f46a091cea040433b48b0217329ebfb6eac1856bb30198a00920fcf1eff6e316d
SSDEEP

12288:9KwfSzSu4B1aOYLryG3Azk8pmLSlgZq+iDtBEnTJAAQSQy4AHlyAKp:KGfHZUynuq1DtBYSAtQy4AHlWp

Score

10^/10

formbook mmtr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

description	pid	process	target process
PID 1048 set thread context of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

pid process

620 SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

pid	process
620	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

description	pid	process	target process
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 1048 wrote to memory of 620	1048	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-64-0x00000000004012B0-mapping.dmp

Download
memory/620-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/620-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-68-0x0000000000A80000-0x0000000000D83000-memory.dmp

Filesize
3.0MB

Download
memory/1048-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x0000000000510000-0x000000000052A000-memory.dmp

Filesize
104KB

Download
memory/1048-57-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/1048-58-0x000000000A240000-0x000000000A2CE000-memory.dmp

Filesize
568KB

Download
memory/1048-59-0x0000000000DA0000-0x0000000000DD4000-memory.dmp

Filesize
208KB

Download
memory/1048-54-0x0000000001110000-0x000000000123C000-memory.dmp

Filesize
1.2MB

Download