formbook | 95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf

Analysis

max time kernel
146s
max time network
160s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2022 17:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
Size

552KB
MD5

b715de27a553217c49d78c598bb21369
SHA1

881f25a7c5c4f20d503a60d2824ab9df0382bf7b
SHA256

95f44db4638c9a3804bffdb3c202b3de5a503a3847606dec40996524af217faf
SHA512

cf1ce92ebc822e4c9de9cb329f3bf5bf80430a6e7e4fdc6ecf84a06ffd818599339724d29ef85e97919c3b0183dbcd0c365b37c90660a8efb0f6e848f4850df2
SSDEEP

12288:gWoHX/RF7mXZF6rslyyGG8arnuTeokpcaTy+yHKoN9jq:XOjSSr3yGmzaUyRj9j

Score

10^/10

formbook tz8t rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

tz8t

Decoy

ny77rjODcxSfmMf2

Ro4c30aR3N8pqxgoKOH0nKpZ1DM=

Xz784MkvjnVyiOwsbwxpwblQv47KIw==

8E5DQ8nbaEVgDiQqlbCmBos=

n+Jwl1GgHG8xHU1BsHDG

KImMWN0zhg/fESvJ2Nc=

4NkRrZjFCmbstx7pIg==

kephKeYrhstVQqQYSObEksSLgDY=

pepRAInR/Ngl0ybL/xL+xaOJc2GUt9g=

0LcrLqfr4sQR9hDlIg==

WfSuYQ9im6fudNHAuU4qnBQwqlKg

SxQnURRzi2WtMVt/vNk=

iz4tST2moq0zPngkKg==

eLUdrzCjBM/pmw6rqF8sBRjLcc9OFtA=

+4qzyKMNHP4/6UoaVVp6VWhKbi8=

JOxXem3SKvkKf7xTTOdC9p8FMA==

anepSdQmIC6nN2795qU6Bm/qXvZ9x3a9

5k32ENdAijGAfu5OggFjy5Q=

2us845cGIIQ7LZEBArySuEk53z4=

Y48EB4G+/0vY3h9NmaVhJP9bv47KIw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

description	pid	process	target process
PID 2416 set thread context of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exeSecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

pid	process
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2172	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
2172	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

description pid process

Token: SeDebugPrivilege 2416 SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

description	pid	process
Token: SeDebugPrivilege	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

description	pid	process	target process
PID 2416 wrote to memory of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
PID 2416 wrote to memory of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
PID 2416 wrote to memory of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
PID 2416 wrote to memory of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
PID 2416 wrote to memory of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
PID 2416 wrote to memory of 2172	2416	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe	SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2416

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.389.22386.8541.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2172

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2172-138-0x0000000000000000-mapping.dmp

Download
memory/2172-139-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-141-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2172-142-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/2172-143-0x00000000011C0000-0x000000000150A000-memory.dmp

Filesize
3.3MB

Download
memory/2416-132-0x0000000000C50000-0x0000000000CDA000-memory.dmp

Filesize
552KB

Download
memory/2416-133-0x0000000005D20000-0x00000000062C4000-memory.dmp

Filesize
5.6MB

Download
memory/2416-134-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/2416-135-0x00000000059E0000-0x0000000005B86000-memory.dmp

Filesize
1.6MB

Download
memory/2416-136-0x0000000005690000-0x000000000569A000-memory.dmp

Filesize
40KB

Download
memory/2416-137-0x0000000008260000-0x00000000082FC000-memory.dmp

Filesize
624KB

Download