formbook | 95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf

Analysis

max time kernel
72s
max time network
76s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
01-12-2022 14:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
Size

552KB
MD5

b715de27a553217c49d78c598bb21369
SHA1

881f25a7c5c4f20d503a60d2824ab9df0382bf7b
SHA256

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf
SHA512

cf1ce92ebc822e4c9de9cb329f3bf5bf80430a6e7e4fdc6ecf84a06ffd818599339724d29ef85e97919c3b0183dbcd0c365b37c90660a8efb0f6e848f4850df2
SSDEEP

12288:gWoHX/RF7mXZF6rslyyGG8arnuTeokpcaTy+yHKoN9jq:XOjSSr3yGmzaUyRj9j

Score

10^/10

formbook tz8t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

tz8t

Decoy

ny77rjODcxSfmMf2

Ro4c30aR3N8pqxgoKOH0nKpZ1DM=

Xz784MkvjnVyiOwsbwxpwblQv47KIw==

8E5DQ8nbaEVgDiQqlbCmBos=

n+Jwl1GgHG8xHU1BsHDG

KImMWN0zhg/fESvJ2Nc=

4NkRrZjFCmbstx7pIg==

kephKeYrhstVQqQYSObEksSLgDY=

pepRAInR/Ngl0ybL/xL+xaOJc2GUt9g=

0LcrLqfr4sQR9hDlIg==

WfSuYQ9im6fudNHAuU4qnBQwqlKg

SxQnURRzi2WtMVt/vNk=

iz4tST2moq0zPngkKg==

eLUdrzCjBM/pmw6rqF8sBRjLcc9OFtA=

+4qzyKMNHP4/6UoaVVp6VWhKbi8=

JOxXem3SKvkKf7xTTOdC9p8FMA==

anepSdQmIC6nN2795qU6Bm/qXvZ9x3a9

5k32ENdAijGAfu5OggFjy5Q=

2us845cGIIQ7LZEBArySuEk53z4=

Y48EB4G+/0vY3h9NmaVhJP9bv47KIw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

description	pid	process	target process
PID 3488 set thread context of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

pid	process
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
2876	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
2876	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

description pid process

Token: SeDebugPrivilege 3488 95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

description	pid	process
Token: SeDebugPrivilege	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

description	pid	process	target process
PID 3488 wrote to memory of 2328	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2328	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2328	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 4696	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 4696	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 4696	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
PID 3488 wrote to memory of 2876	3488	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe	95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe

C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
"C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3488

C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
"C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe"
2⤵
PID:2328

C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
"C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe"
2⤵
PID:4696

C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe
"C:\Users\Admin\AppData\Local\Temp\95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2876

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2876-188-0x00000000004012B0-mapping.dmp

Download
memory/2876-187-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-189-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/2876-190-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/2876-195-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2876-197-0x0000000000FA0000-0x00000000012C0000-memory.dmp

Filesize
3.1MB

Download
memory/2876-196-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/3488-149-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-123-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-120-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-152-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-122-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-153-0x0000000005E50000-0x000000000634E000-memory.dmp

Filesize
5.0MB

Download
memory/3488-124-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-125-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-126-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-127-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-128-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-129-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-130-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-131-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-132-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-133-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-134-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-135-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-136-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-137-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-138-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-139-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-140-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-141-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-142-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-143-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-144-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-145-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-146-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-147-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-148-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-118-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-150-0x0000000000F40000-0x0000000000FCA000-memory.dmp

Filesize
552KB

Download
memory/3488-151-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-121-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-154-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-119-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-155-0x0000000005950000-0x00000000059E2000-memory.dmp

Filesize
584KB

Download
memory/3488-156-0x0000000005BA0000-0x0000000005D44000-memory.dmp

Filesize
1.6MB

Download
memory/3488-157-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-159-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-158-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-160-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-161-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-162-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-163-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-164-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-165-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-166-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-167-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-168-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-169-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-170-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-171-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-172-0x0000000003330000-0x000000000333A000-memory.dmp

Filesize
40KB

Download
memory/3488-173-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-174-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-175-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-176-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-177-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-178-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-179-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-180-0x0000000005AA0000-0x0000000005AB6000-memory.dmp

Filesize
88KB

Download
memory/3488-181-0x0000000005B80000-0x0000000005B8E000-memory.dmp

Filesize
56KB

Download
memory/3488-117-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-116-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-182-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download
memory/3488-183-0x0000000008230000-0x00000000082A0000-memory.dmp

Filesize
448KB

Download
memory/3488-184-0x0000000008350000-0x00000000083EC000-memory.dmp

Filesize
624KB

Download
memory/3488-185-0x0000000008310000-0x0000000008344000-memory.dmp

Filesize
208KB

Download
memory/3488-186-0x0000000077480000-0x000000007760E000-memory.dmp

Filesize
1.6MB

Download