formbook | 69c4f08c64ca2809ab57dfb43008d4e197bda7ce1a3613402563660afd6e6226

General

Target

SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
Size

940KB
MD5

ad4afa925700586e0138bda59adaddb7
SHA1

8309a84b841861ccac278fc03a5e213bd6628126
SHA256

69c4f08c64ca2809ab57dfb43008d4e197bda7ce1a3613402563660afd6e6226
SHA512

48ccbd2a3297246499a252f9a3028f6400ca5199a0158f893ab62a347fc887269d338ef761e8daabe723c24bbb985b242b9091ac054fe541181598b33d5bd5e0
SSDEEP

24576:vzq75DWfksa2TEiYxBayY7CdTiwAAgEEY4:8Wfe2Q9xBxDTQp

Score

10^/10

formbook fqwu rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fqwu

Decoy

N6XHavFRXQTRmNUkF9dn

EoaWTgFMmLFmUJ7CJNkTiGoj5A==

Dm+WNJDwSQa5cML3Q7EBiGoj5A==

nixR8ZCkOWjqrASBuic=

yvWQNApkdf4QYIih4+xUDY0=

RtmBQtDYDb50g8btXA==

8SU541y9Ec12NYK8PSOfA8OPpaphimY=

/yEvxvlAkquuY3W1QQ==

AlHZgYW4BiI9V+M=

YsHIUsAOO15j+9TnWA==

JJu1S7QIIMij0xUqlUtv

CmWBLrD98YnyUCCFvy0=

uPwhAVEvtu1rTuY=

PI6bR88GVGXmRlpxpKjtBpo=

GnL7qs9HVQAiF6ckF9dn

2zVeBFKZgO1rTuY=

2VI1VpOg7boCAFxvrWN3ys9rovE=

L1lO62zA2o1QEEZRQtgh7g==

brhF5dY1e3zmSyCFvy0=

U6m2TsEidTTdsA5kX8wh7g==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

description	pid	process	target process
PID 1220 set thread context of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exeSecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

pid process

1220 SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
1116 SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

description pid process

Token: SeDebugPrivilege 1220 SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

pid	process
1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
1116	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

description	pid	process
Token: SeDebugPrivilege	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

description	pid	process	target process
PID 1220 wrote to memory of 816	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 816	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 816	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 816	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
PID 1220 wrote to memory of 1116	1220	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe	SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1220

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe"
2⤵
PID:816

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.1701.27630.3248.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1116

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-64-0x00000000004012B0-mapping.dmp

Download
memory/1116-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1116-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1116-68-0x0000000000BF0000-0x0000000000EF3000-memory.dmp

Filesize
3.0MB

Download
memory/1220-55-0x0000000075141000-0x0000000075143000-memory.dmp

Filesize
8KB

Download
memory/1220-56-0x00000000002A0000-0x00000000002B6000-memory.dmp

Filesize
88KB

Download
memory/1220-57-0x00000000002C0000-0x00000000002CE000-memory.dmp

Filesize
56KB

Download
memory/1220-58-0x0000000005D40000-0x0000000005DCE000-memory.dmp

Filesize
568KB

Download
memory/1220-59-0x00000000045C0000-0x0000000004616000-memory.dmp

Filesize
344KB

Download
memory/1220-54-0x0000000000AF0000-0x0000000000BE2000-memory.dmp

Filesize
968KB

Download

Analysis

Sharing