formbook | 722f3b52c9b45f5a0219423bf17052ea5cb2d4e9dc6a461af97ca55f13678ac4

Analysis

max time kernel
58s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
23-11-2022 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
Size

1.1MB
MD5

002e87b0ea62442b8c89ccfba9137109
SHA1

0b283d4f22bc526f3c2d98b3d64430bba393ebdd
SHA256

722f3b52c9b45f5a0219423bf17052ea5cb2d4e9dc6a461af97ca55f13678ac4
SHA512

9332f8212b18047743cdf8a5ea4e95463d7ad5302c91b05cf9d4b336b55e356912502dc5cda722697026d818675f8e400038fe22ea0ef6f20f7a1fe9fb69646b
SSDEEP

24576:wUTGpqdOpYgvymjwNJgs6+RrGj1En1w5:wnpqdOeg6mOn5Gj1aw

Score

10^/10

formbook xloader fofg loader rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fofg

Decoy

FHyydxpFBs0S8b4ZlP7ZEtd/

EVaCEKb/cVV9xQ==

U9I5lke0IuU7vj5EXus=

rXD3AKPV3qUblOUsV41KMfU=

PwBSy5z56XNzIvnS3ygsKv0=

CQe1BLbSnGXX

HuhKjxhLhxqBy2FFz8WoFA==

QJymezEoLOFZ1T5EXus=

V8r5PAdwuGK2AUARohas

b1XV06ANH9s5uj5EXus=

3EiEhwo7Euw2tl8=

c2PjK8Izkydy5N8x

CXCkYf0m/qPrv8QajKyT6Oo=

pHjy+Mk0CqvWBXdCz8WoFA==

QjSwr3/j5rAyvz5EXus=

+edxANg/sU+k8YFQz8WoFA==

tWiQq3rqyl6cTAG9pA==

GeAyMQxBUOlDwD5EXus=

nQ5eoT2mEKkhDN2DwBek

JP5dIbHlrXXR8umDwBek

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Xloader
Xloader is a rebranded version of Formbook malware.
loader xloader

Xloader payload 2 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1688-63-0x0000000000400000-0x000000000042C000-memory.dmp	xloader
behavioral1/memory/1688-64-0x000000000041F770-mapping.dmp	xloader

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

description	pid	process	target process
PID 1880 set thread context of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exeSecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

pid	process
1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
1688	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

description pid process

Token: SeDebugPrivilege 1880 SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

description	pid	process
Token: SeDebugPrivilege	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

description	pid	process	target process
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
PID 1880 wrote to memory of 1688	1880	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe	SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Packed2.44597.4928.31978.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1688-60-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1688-61-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1688-63-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1688-64-0x000000000041F770-mapping.dmp

Download
memory/1688-65-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1880-54-0x0000000000E00000-0x0000000000F2A000-memory.dmp

Filesize
1.2MB

Download
memory/1880-55-0x0000000075D71000-0x0000000075D73000-memory.dmp

Filesize
8KB

Download
memory/1880-56-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/1880-57-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/1880-58-0x00000000081B0000-0x000000000825E000-memory.dmp

Filesize
696KB

Download
memory/1880-59-0x0000000004CE0000-0x0000000004D54000-memory.dmp

Filesize
464KB

Download