formbook | 959b7b3c7962cbd8e88c0f342f370258244ab2a396ebd6abf26389020baf9a4c

Analysis

max time kernel
81s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
11-10-2022 05:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
Size

1.2MB
MD5

b873e0441c0ed5a134eb54f1fa7615fb
SHA1

728296c91b19720e6b1d2a848e4172632ac88b08
SHA256

959b7b3c7962cbd8e88c0f342f370258244ab2a396ebd6abf26389020baf9a4c
SHA512

903a24c20efeccc738ced4c4099ae4b22a555d2f27c1e196f8141cc6a5087b7f46a091cea040433b48b0217329ebfb6eac1856bb30198a00920fcf1eff6e316d
SSDEEP

12288:9KwfSzSu4B1aOYLryG3Azk8pmLSlgZq+iDtBEnTJAAQSQy4AHlyAKp:KGfHZUynuq1DtBYSAtQy4AHlWp

Score

10^/10

formbook mmtr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

description	pid	process	target process
PID 3548 set thread context of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exeSecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

pid	process
3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
1688	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
1688	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

description pid process

Token: SeDebugPrivilege 3548 SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

description	pid	process
Token: SeDebugPrivilege	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

description	pid	process	target process
PID 3548 wrote to memory of 2428	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 2428	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 2428	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
PID 3548 wrote to memory of 1688	3548	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe	SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3548
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe"
  2⤵
  PID:2428
- C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe
  "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.21822.21708.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-139-0x0000000000000000-mapping.dmp

Download
memory/1688-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1688-143-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1688-144-0x00000000016B0000-0x00000000019FA000-memory.dmp

Filesize
3.3MB

Download
memory/2428-138-0x0000000000000000-mapping.dmp

Download
memory/3548-132-0x00000000006C0000-0x00000000007EC000-memory.dmp

Filesize
1.2MB

Download
memory/3548-133-0x0000000005830000-0x0000000005DD4000-memory.dmp

Filesize
5.6MB

Download
memory/3548-134-0x00000000051D0000-0x0000000005262000-memory.dmp

Filesize
584KB

Download
memory/3548-135-0x0000000005190000-0x000000000519A000-memory.dmp

Filesize
40KB

Download
memory/3548-136-0x000000000B2A0000-0x000000000B33C000-memory.dmp

Filesize
624KB

Download
memory/3548-137-0x000000000B340000-0x000000000B3A6000-memory.dmp

Filesize
408KB

Download