formbook | 97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1

Analysis

max time kernel
109s
max time network
41s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
01-12-2022 15:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
Size

1.0MB
MD5

36cffbbe00ff9dd2a5c813d43dc2749b
SHA1

80a003e052f3cdc9bd10803882c198684bff8574
SHA256

97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1
SHA512

b417c23df1a8c0fa2860d59d6886230b4648f66eb4ba269cc2514570a0f8b3bbee4cd653b0543ef3b07a02b6c52c657665303add260b6c1093e277a990ba089e
SSDEEP

12288:WU2EIn2uWBQmER9Ai2flfLO/caYVT/XG4Vcfe+y/qv2q7KqRmZ4dUpkD0bxMMJPc:WRWBQLKNkcfvHcfe+y/qvjG7xMMJ1q

Score

10^/10

formbook 8ch8 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

8ch8

Decoy

EpMcJgRhXLgnbGVS1w==

PT1CWj241lPTuYLqz4cMQug=

iW5zo5XTlCyvPyc0hZ+/Ww==

3TiaoYnZM2R/2Jxzj/YY/wSb

gmIzUUXL9Y9CJH1OhZ+/Ww==

TdhX816H2NfWDDA8zg==

hrO4y8wSaEd20IZmhZ+/Ww==

hpV3JYmIC104sSI=

OO5xgWfn6pzCBp3kOas=

wJJtjXKWWuN0B4D/Zq+h+MJnVA==

cG5OST1xygeTEXTwN+gtU+o=

DEkjtjWwSl04sSI=

4jIoyEKj+0h76T8=

CBgIFRBAneBly2N666Yv0uI=

q7/M5ri8J104sSI=

X3FOWUW6vIeYk2QMLPV/GR/KuJlO71Nn

Pk5Xbmm7K2oM390ILKE=

AJLzkApAgKHYDDA8zg==

Z1BN4jzHtGx8ZiKO2DMnznIiArHLh6E=

1WnEWMU1nd7aSQ==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

description	pid	process	target process
PID 1256 set thread context of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

pid process

1604 97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

pid	process
1604	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

description	pid	process	target process
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
PID 1256 wrote to memory of 1604	1256	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe	97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe

C:\Users\Admin\AppData\Local\Temp\97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
"C:\Users\Admin\AppData\Local\Temp\97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1256

C:\Users\Admin\AppData\Local\Temp\97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe
"C:\Users\Admin\AppData\Local\Temp\97a6db96fa0467a8cbe068fe3b09b0c03c2be85e2902503464e3af90e4e80af1.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1604

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1256-54-0x0000000000EF0000-0x0000000000FFE000-memory.dmp

Filesize
1.1MB

Download
memory/1256-55-0x0000000075C61000-0x0000000075C63000-memory.dmp

Filesize
8KB

Download
memory/1256-56-0x0000000000490000-0x00000000004A6000-memory.dmp

Filesize
88KB

Download
memory/1256-57-0x00000000004B0000-0x00000000004BE000-memory.dmp

Filesize
56KB

Download
memory/1256-58-0x0000000005520000-0x00000000055C6000-memory.dmp

Filesize
664KB

Download
memory/1256-59-0x00000000055D0000-0x000000000563E000-memory.dmp

Filesize
440KB

Download
memory/1604-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-64-0x00000000004012B0-mapping.dmp

Download
memory/1604-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1604-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1604-68-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

Filesize
3.0MB

Download