formbook | 3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d

Analysis

max time kernel
137s
max time network
50s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
03-12-2022 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe
Size

445KB
MD5

e263de8f3ae2be138b63fcb2495512c9
SHA1

d2d02ff2d91e8991f37a2a721617c076467c7e27
SHA256

3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d
SHA512

bddf900dc7a55335afd4bbc62c82a19af0b6d1459007b3b9844d13442ab3ebbf9eb2a7f8b979f88aac5825b0d9a508a89d8c8ca07715dbd27e39b03745a3cc75
SSDEEP

12288:XouvLcC4YGInvPc0kPwnne5oa1czjH3SmYz5vcDXAhPO:XouzcC4GPc0yMnyoFItvcDwhP

Score

10^/10

formbook t5ez rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

t5ez

Decoy

v+YaDdg/udazyV4Iyw==

MXDNPIhw1/8BP0Ud2fguBRZ/8nF6wQ==

WsTRjsGfK1Wt+wjFRn9mBQ==

TrAv42rPyfBfhpI=

2FrznhJCG6bpCgm9+n/Xq0cr

phy0dqeRgaeZzcuciHGgrkeVQw==

DIYHd2O24QEB

wVbxr0eqbQZMc4xwQF1W3NdmR2Xc

ncsN3VitpSp18jvXswKeJeQKA1DW

n/FT0RVVULr7fMV0Ykb8ztU=

OET6wvfsbaGp6O2/Rn9mBQ==

2Rb8gNoGR5GEwAeUhcs=

wR8Fc7imd8/3cQeUhcs=

rMZ/VOtX0kR/yV4Iyw==

9YIUqO7RR4iL5Cffi994

03AHmeAX+2F85Cnfi994

9QbOseAK0/c4SGJW

S1EDywDiYofETA==

ivZm1wDWR2hgAEFURn9mBQ==

D2pe4DygKUJKoLidIuwJo4PiKGhyZLPc

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 3 IoCs

Processes:

3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exeCasPol.exe

description	pid	process	target process
PID 1444 set thread context of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1716 set thread context of 1344	1716	CasPol.exe	Explorer.EXE
PID 1716 set thread context of 1344	1716	CasPol.exe	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

CasPol.exe

pid process

1716 CasPol.exe
1716 CasPol.exe
1716 CasPol.exe
1716 CasPol.exe
1716 CasPol.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

1344 Explorer.EXE
Suspicious behavior: MapViewOfSection 2 IoCs

Processes:

CasPol.exe

pid process

1716 CasPol.exe
1716 CasPol.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

CasPol.exe

description pid process

Token: SeDebugPrivilege 1716 CasPol.exe

pid	process
1716	CasPol.exe
1716	CasPol.exe
1716	CasPol.exe
1716	CasPol.exe
1716	CasPol.exe

pid	process
1344	Explorer.EXE

pid	process
1716	CasPol.exe
1716	CasPol.exe

description	pid	process
Token: SeDebugPrivilege	1716	CasPol.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe

description	pid	process	target process
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe
PID 1444 wrote to memory of 1716	1444	3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe	CasPol.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
PID:1344

C:\Users\Admin\AppData\Local\Temp\3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe
"C:\Users\Admin\AppData\Local\Temp\3e78df55b6fae63e9199c141df9aaa3c3ad937a654cf876406f74593385a9d5d.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1444

C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1716

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1344-64-0x0000000006BF0000-0x0000000006CC9000-memory.dmp

Filesize
868KB

Download
memory/1344-67-0x0000000006CD0000-0x0000000006D9C000-memory.dmp

Filesize
816KB

Download
memory/1444-55-0x0000000000620000-0x0000000000692000-memory.dmp

Filesize
456KB

Download
memory/1444-54-0x0000000000F50000-0x0000000000FC4000-memory.dmp

Filesize
464KB

Download
memory/1716-57-0x00000000004012B0-mapping.dmp

Download
memory/1716-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-61-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1716-62-0x0000000000AA0000-0x0000000000DA3000-memory.dmp

Filesize
3.0MB

Download
memory/1716-63-0x0000000000120000-0x0000000000130000-memory.dmp

Filesize
64KB

Download
memory/1716-59-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-66-0x0000000000170000-0x0000000000180000-memory.dmp

Filesize
64KB

Download
memory/1716-56-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-68-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1716-69-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download