formbook | 1235cd108420d0531298421c807f494e09133bdab337a0d13c6e1bb7ebf239c4

Analysis

max time kernel
83s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
Size

736KB
MD5

f4937a3e14c770221de47df00885285b
SHA1

dc22ac92d802f7339691082330dc36a236e86644
SHA256

1235cd108420d0531298421c807f494e09133bdab337a0d13c6e1bb7ebf239c4
SHA512

f06d1eaf53b7027a768f24d15f8b9cf099145f77765c8ef6a8577f37633ccb147f6d3038a46bce5c21de65b6bd78ab14636d6d233497210af07b2923a0b0c4c7
SSDEEP

12288:JwlQbmomPZefXPtqvyuQwYvCYDAD9AxDZCCjM+9MQJQv8vgUycEn/z:iomxiXQFwv1M9KDZCIMpQDgUDyz

Score

10^/10

formbook 06eh rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

06eh

Decoy

LFsv6dX2ii6R8OphWwptZ9Uy+geJcQ==

F2g1Ra3riiwsEeceZ+kPoyzVyQ==

m7+bOE66nh10jg==

Dyb/VMcRh6yNuvVNwJjlrzs=

3yNAvKD3bmuj1Q4=

K7hi/htWsKfW6xc=

sqpSY7/gcvvY0tm0tWucCg==

LnSqfZJAUour0Qo=

Il4dO5W4JE9OlQYNbHc=

LUYTY9QKZHZPe74hTaa/ljM=

Qg6iySJSuuTgNcboVm4=

SJkvGoebIdDEsJn9AI7yPbNK

DKBLqQM7m6oaUKM84/sIFQ==

GOOzpszYDX9lkuZQ5pmdrDDeyg==

V5064wgZl0G1DxNTv5jlrzs=

Onlr5MMHSXuH/91V

oddlSLzpBTyiCAtcvmSS

ITsUV4Gw/mkWaGLjCHs=

HqWBQYO4SQBinnio6GmL

tDrGMY3MC5e1KdgFRw==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

description	pid	process	target process
PID 1348 set thread context of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

pid process

1280 20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

pid	process
1280	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

description	pid	process	target process
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
PID 1348 wrote to memory of 1280	1348	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe	20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe

C:\Users\Admin\AppData\Local\Temp\20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
"C:\Users\Admin\AppData\Local\Temp\20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1348

C:\Users\Admin\AppData\Local\Temp\20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe
"C:\Users\Admin\AppData\Local\Temp\20.253.174.196_-_file01_-_fifth.exe___f4937a3e14c770221de47df00885285b.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1280-64-0x00000000004012B0-mapping.dmp

Download
memory/1280-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1280-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1280-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1280-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1280-67-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1280-68-0x0000000000910000-0x0000000000C13000-memory.dmp

Filesize
3.0MB

Download
memory/1348-55-0x0000000074F41000-0x0000000074F43000-memory.dmp

Filesize
8KB

Download
memory/1348-56-0x0000000000460000-0x000000000047A000-memory.dmp

Filesize
104KB

Download
memory/1348-57-0x0000000000330000-0x000000000033E000-memory.dmp

Filesize
56KB

Download
memory/1348-58-0x0000000005D50000-0x0000000005DCA000-memory.dmp

Filesize
488KB

Download
memory/1348-59-0x00000000006C0000-0x0000000000702000-memory.dmp

Filesize
264KB

Download
memory/1348-54-0x0000000001110000-0x00000000011CE000-memory.dmp

Filesize
760KB

Download