formbook | 4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7

Analysis

max time kernel
131s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
02-12-2022 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a17248c6c5c5ffbc978d43dfa4b6a167.exe
Size

552KB
MD5

a17248c6c5c5ffbc978d43dfa4b6a167
SHA1

c99417cb8615416a978cc0b4c9cb90d80928457a
SHA256

4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7
SHA512

ecb72869466aa1c9dafd2a75aa3dbb4cbb190bf2b141a1b6f3b91f03f78740ba7abc1492f6ed31cedd85512d08c6ad4aeb09752049ce9362bb714c1df6dfa19b
SSDEEP

12288:Urcq/eKxqvEm8+uqePNAx4EUUu1ovVj9jq:E/eKovE6VePCx4qvh9j

Score

10^/10

formbook b5jr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

b5jr

Decoy

0de6wt9fDj2VzxFqyWStU2IZ

CEIlhC3/D4QckHwMOdQ=

324+OHk+LFMruPQ9L80=

052Bh/ajSEHVHMVOuQkQ

9DfC8AWAPlfh8P8=

+4Zqgb98ctfC/sT1EK31+8i9zyQ=

fkISYqdAD/gETU1glGl6ow==

muKtqNNZLlfh8P8=

qXtWc7RyEEJcdPkP

uL6XqPW6YUKi4UGNsQ==

iQT57xCknBF0qdAtV/Q88sRX8LzWzoSk

ZzYKFzTOjad8wuY=

D8Va1XR/BkMvcAxaQpofB6Og+yaT

IP7S065oQrQ/yA==

aEIWMUXk4hdw+ClvnoUBL8i9zyQ=

bjoiiSUS4sjYJPQ9L80=

+8Sk90TLmX4nbfdOuQkQ

ukEMGzCnXT/FIMz2n7T8lHIT

JzDsQuW6h3T9UQgzlGl6ow==

ugPgPem5vCmtvzE9q9bIOMN7ow==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

a17248c6c5c5ffbc978d43dfa4b6a167.exe

description pid process target process

PID 4912 set thread context of 5068 4912 a17248c6c5c5ffbc978d43dfa4b6a167.exe a17248c6c5c5ffbc978d43dfa4b6a167.exe

description	pid	process	target process
PID 4912 set thread context of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

a17248c6c5c5ffbc978d43dfa4b6a167.exea17248c6c5c5ffbc978d43dfa4b6a167.exe

pid	process
4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe
4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe
5068	a17248c6c5c5ffbc978d43dfa4b6a167.exe
5068	a17248c6c5c5ffbc978d43dfa4b6a167.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

a17248c6c5c5ffbc978d43dfa4b6a167.exe

description pid process

Token: SeDebugPrivilege 4912 a17248c6c5c5ffbc978d43dfa4b6a167.exe

description	pid	process
Token: SeDebugPrivilege	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

a17248c6c5c5ffbc978d43dfa4b6a167.exe

description	pid	process	target process
PID 4912 wrote to memory of 1516	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 1516	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 1516	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe
PID 4912 wrote to memory of 5068	4912	a17248c6c5c5ffbc978d43dfa4b6a167.exe	a17248c6c5c5ffbc978d43dfa4b6a167.exe

C:\Users\Admin\AppData\Local\Temp\a17248c6c5c5ffbc978d43dfa4b6a167.exe
"C:\Users\Admin\AppData\Local\Temp\a17248c6c5c5ffbc978d43dfa4b6a167.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4912

C:\Users\Admin\AppData\Local\Temp\a17248c6c5c5ffbc978d43dfa4b6a167.exe
"C:\Users\Admin\AppData\Local\Temp\a17248c6c5c5ffbc978d43dfa4b6a167.exe"
2⤵
PID:1516

C:\Users\Admin\AppData\Local\Temp\a17248c6c5c5ffbc978d43dfa4b6a167.exe
"C:\Users\Admin\AppData\Local\Temp\a17248c6c5c5ffbc978d43dfa4b6a167.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5068

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1516-138-0x0000000000000000-mapping.dmp

Download
memory/4912-132-0x0000000000200000-0x000000000028A000-memory.dmp

Filesize
552KB

Download
memory/4912-133-0x00000000052E0000-0x0000000005884000-memory.dmp

Filesize
5.6MB

Download
memory/4912-134-0x0000000004C20000-0x0000000004CB2000-memory.dmp

Filesize
584KB

Download
memory/4912-135-0x0000000004EE0000-0x0000000005086000-memory.dmp

Filesize
1.6MB

Download
memory/4912-136-0x0000000004E80000-0x0000000004E8A000-memory.dmp

Filesize
40KB

Download
memory/4912-137-0x0000000000BB0000-0x0000000000C4C000-memory.dmp

Filesize
624KB

Download
memory/5068-139-0x0000000000000000-mapping.dmp

Download
memory/5068-140-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5068-142-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5068-143-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/5068-144-0x0000000001AE0000-0x0000000001E2A000-memory.dmp

Filesize
3.3MB

Download