formbook | 2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644

Resubmissions

05-12-2022 00:54

221205-a9jyrsfc4z 10

02-12-2022 04:20

221202-ex772sgb9v 10

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
05-12-2022 00:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
Size

996KB
MD5

a4b95505ac0ea4f9e62da770bf60a2f8
SHA1

e30412924fc260ce5842730d8f7808c5eb58471f
SHA256

2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644
SHA512

56fc357e3529aa97f79f534daf843607dad29171a7d8318eabee5889329249b45dcb98d787f61712e220cada3e1f8872bb4b1ec25bc094796032551c0329e90f
SSDEEP

12288:I6wgh/cS0Rt2UnIUCsJ1hmuaB73bdgjcedXtcSEjz5ktYnxWzgRVDqlq9cVrbF:INgh/f2t/nVp1A73Bgjc8tcf5ktYn04

Score

10^/10

formbook b5jr rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

b5jr

Decoy

0de6wt9fDj2VzxFqyWStU2IZ

CEIlhC3/D4QckHwMOdQ=

324+OHk+LFMruPQ9L80=

052Bh/ajSEHVHMVOuQkQ

9DfC8AWAPlfh8P8=

+4Zqgb98ctfC/sT1EK31+8i9zyQ=

fkISYqdAD/gETU1glGl6ow==

muKtqNNZLlfh8P8=

qXtWc7RyEEJcdPkP

uL6XqPW6YUKi4UGNsQ==

iQT57xCknBF0qdAtV/Q88sRX8LzWzoSk

ZzYKFzTOjad8wuY=

D8Va1XR/BkMvcAxaQpofB6Og+yaT

IP7S065oQrQ/yA==

aEIWMUXk4hdw+ClvnoUBL8i9zyQ=

bjoiiSUS4sjYJPQ9L80=

+8Sk90TLmX4nbfdOuQkQ

ukEMGzCnXT/FIMz2n7T8lHIT

JzDsQuW6h3T9UQgzlGl6ow==

ugPgPem5vCmtvzE9q9bIOMN7ow==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

description	pid	process	target process
PID 816 set thread context of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

pid	process
816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
3044	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
3044	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

description pid process

Token: SeDebugPrivilege 816 2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

description	pid	process
Token: SeDebugPrivilege	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

description	pid	process	target process
PID 816 wrote to memory of 4876	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 4876	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 4876	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
PID 816 wrote to memory of 3044	816	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe	2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe

C:\Users\Admin\AppData\Local\Temp\2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
"C:\Users\Admin\AppData\Local\Temp\2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:816

C:\Users\Admin\AppData\Local\Temp\2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
"C:\Users\Admin\AppData\Local\Temp\2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe"
2⤵
PID:4876

C:\Users\Admin\AppData\Local\Temp\2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe
"C:\Users\Admin\AppData\Local\Temp\2c412d963b9d1020bea10e91d8aa14a58b950e3b85c1dbc13be4301c468bd644.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3044

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/816-132-0x0000000000120000-0x0000000000220000-memory.dmp

Filesize
1024KB

Download
memory/816-133-0x00000000051E0000-0x0000000005784000-memory.dmp

Filesize
5.6MB

Download
memory/816-134-0x0000000004C30000-0x0000000004CC2000-memory.dmp

Filesize
584KB

Download
memory/816-135-0x0000000004BB0000-0x0000000004BBA000-memory.dmp

Filesize
40KB

Download
memory/816-136-0x0000000008A20000-0x0000000008ABC000-memory.dmp

Filesize
624KB

Download
memory/3044-138-0x0000000000000000-mapping.dmp

Download
memory/3044-139-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3044-141-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/3044-142-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/3044-143-0x00000000013E0000-0x000000000172A000-memory.dmp

Filesize
3.3MB

Download
memory/3044-144-0x00000000013E0000-0x000000000172A000-memory.dmp

Filesize
3.3MB

Download
memory/4876-137-0x0000000000000000-mapping.dmp

Download