formbook | 773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94

Analysis

max time kernel
85s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 08:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
Size

1.0MB
MD5

d8896273f6e3976c0051d2985fca39d3
SHA1

ffa987faeda3e9d6a912b63dbd8fb7adf105fa8f
SHA256

773e21380e7b28202c6c142d4562bcfd733de46ffa3e63a1351dd2860c065a94
SHA512

8f90bf50ec129b11e06dc7f48f13399a4b59d67f2daf6043a5fcd5d6b9f6dd584a9bc86a7586056720c79ed834b5b2f31ae2c52018c2d4678f02de5a4fc00d38
SSDEEP

24576:TrqkTiwAAgEEY4BjH04VwMQJXP7XLBRFPG1e/1:HTQpfVwMMP7XL7Fu1eN

Score

10^/10

formbook fh8p rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fh8p

Decoy

51F23EN4Txw0zl7VSV72h3U1

r51e7umgAYu/WtxeMGHnGxLw2sBpOeZJ

IQ38brXAkQLFMYHztA==

ZsVI1+ZC1m5iov4xpA==

3sltsjJTHbqCqj4yzxAxSg==

cd/wV6bAp00lenVgURspAmkDrXpY

FPiMqs88TyH2LcbQ

B+tfkhM6CKKnkwHY

3UG4Fv6Z1YbVcKhGADQ=

7HWXwp4acUvZid/eOwbUBPCsF+4=

cFmdzrE0gUTDYnlFzxAxSg==

NZ68/khRFLankwHY

iwOpJcLSmHX2LcbQ

Riu+/F9kYTgDK5SAc0Rmsmcs

F2wn+jKjVAwF

Z77ISAWVozHM7Xs/XIK5

V71c6sFWuV6uagGJWMUBxCs=

JvYlUje3B95h+Ts+jv61WcvMdO4AdzSVjQ==

fOMJf5pQ2nKHJn3XzxAxSg==

5k9hflzYDY/GQnjazxAxSg==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

description	pid	process	target process
PID 1504 set thread context of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exeSecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

pid	process
1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
1796	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

description pid process

Token: SeDebugPrivilege 1504 SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

description	pid	process
Token: SeDebugPrivilege	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

description	pid	process	target process
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
PID 1504 wrote to memory of 1796	1504	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe	SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1504

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.5400.1001.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1796

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-54-0x0000000000830000-0x0000000000944000-memory.dmp

Filesize
1.1MB

Download
memory/1504-55-0x00000000768A1000-0x00000000768A3000-memory.dmp

Filesize
8KB

Download
memory/1504-56-0x00000000003B0000-0x00000000003C6000-memory.dmp

Filesize
88KB

Download
memory/1504-57-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/1504-58-0x0000000007FA0000-0x0000000008032000-memory.dmp

Filesize
584KB

Download
memory/1504-59-0x0000000005E10000-0x0000000005E68000-memory.dmp

Filesize
352KB

Download
memory/1796-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-64-0x00000000004012B0-mapping.dmp

Download
memory/1796-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1796-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1796-68-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads