formbook | 4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7

Analysis

max time kernel
51s
max time network
69s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
02-12-2022 01:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
Size

552KB
MD5

a17248c6c5c5ffbc978d43dfa4b6a167
SHA1

c99417cb8615416a978cc0b4c9cb90d80928457a
SHA256

4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7
SHA512

ecb72869466aa1c9dafd2a75aa3dbb4cbb190bf2b141a1b6f3b91f03f78740ba7abc1492f6ed31cedd85512d08c6ad4aeb09752049ce9362bb714c1df6dfa19b
SSDEEP

12288:Urcq/eKxqvEm8+uqePNAx4EUUu1ovVj9jq:E/eKovE6VePCx4qvh9j

Score

10^/10

formbook b5jr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

b5jr

Decoy

0de6wt9fDj2VzxFqyWStU2IZ

CEIlhC3/D4QckHwMOdQ=

324+OHk+LFMruPQ9L80=

052Bh/ajSEHVHMVOuQkQ

9DfC8AWAPlfh8P8=

+4Zqgb98ctfC/sT1EK31+8i9zyQ=

fkISYqdAD/gETU1glGl6ow==

muKtqNNZLlfh8P8=

qXtWc7RyEEJcdPkP

uL6XqPW6YUKi4UGNsQ==

iQT57xCknBF0qdAtV/Q88sRX8LzWzoSk

ZzYKFzTOjad8wuY=

D8Va1XR/BkMvcAxaQpofB6Og+yaT

IP7S065oQrQ/yA==

aEIWMUXk4hdw+ClvnoUBL8i9zyQ=

bjoiiSUS4sjYJPQ9L80=

+8Sk90TLmX4nbfdOuQkQ

ukEMGzCnXT/FIMz2n7T8lHIT

JzDsQuW6h3T9UQgzlGl6ow==

ugPgPem5vCmtvzE9q9bIOMN7ow==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe

description	pid	process	target process
PID 5012 set thread context of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe

pid	process
3592	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
3592	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe

description	pid	process	target process
PID 5012 wrote to memory of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
PID 5012 wrote to memory of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
PID 5012 wrote to memory of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
PID 5012 wrote to memory of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
PID 5012 wrote to memory of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
PID 5012 wrote to memory of 3592	5012	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe	4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe

C:\Users\Admin\AppData\Local\Temp\4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
"C:\Users\Admin\AppData\Local\Temp\4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5012

C:\Users\Admin\AppData\Local\Temp\4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe
"C:\Users\Admin\AppData\Local\Temp\4f6677dc3954982a155ebc120a4600225403047689acecaaab00cbed11b7f6d7.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3592

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3592-191-0x00000000004012B0-mapping.dmp

Download
memory/3592-190-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3592-192-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/3592-193-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/3592-194-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/3592-200-0x0000000001650000-0x0000000001970000-memory.dmp

Filesize
3.1MB

Download
memory/3592-199-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3592-197-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/5012-153-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-129-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-125-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-126-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-127-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-158-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-128-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-130-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-131-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-132-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-159-0x0000000004E40000-0x0000000004ED2000-memory.dmp

Filesize
584KB

Download
memory/5012-134-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-135-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-136-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-137-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-138-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-139-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-140-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-142-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-143-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-141-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-144-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-145-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-146-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-147-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-148-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-149-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-150-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-151-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-157-0x0000000005420000-0x000000000591E000-memory.dmp

Filesize
5.0MB

Download
memory/5012-123-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-154-0x0000000000590000-0x000000000061A000-memory.dmp

Filesize
552KB

Download
memory/5012-155-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-156-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-152-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-124-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-133-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-161-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-160-0x0000000005110000-0x00000000052B4000-memory.dmp

Filesize
1.6MB

Download
memory/5012-162-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-163-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-164-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-165-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-166-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-167-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-168-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-169-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-171-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-172-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-170-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-173-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-174-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-175-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-176-0x0000000004F00000-0x0000000004F0A000-memory.dmp

Filesize
40KB

Download
memory/5012-177-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-178-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-179-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-180-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-182-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-184-0x00000000053C0000-0x00000000053D6000-memory.dmp

Filesize
88KB

Download
memory/5012-183-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-181-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-122-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-121-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-120-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-185-0x0000000005410000-0x000000000541E000-memory.dmp

Filesize
56KB

Download
memory/5012-186-0x00000000779E0000-0x0000000077B6E000-memory.dmp

Filesize
1.6MB

Download
memory/5012-187-0x0000000007880000-0x00000000078F0000-memory.dmp

Filesize
448KB

Download
memory/5012-188-0x00000000079A0000-0x0000000007A3C000-memory.dmp

Filesize
624KB

Download
memory/5012-189-0x0000000007910000-0x0000000007944000-memory.dmp

Filesize
208KB

Download