formbook | 268552c2ffe8fbb6b8a2244ce2931ca115a4057d74bfb72fc7ba91b95d95ac63

Analysis

max time kernel
45s
max time network
49s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd811d9e445bb6882d2864faaf80f668.exe
Size

897KB
MD5

bd811d9e445bb6882d2864faaf80f668
SHA1

1ee49be423203c7034a6189b0364abfab6e02036
SHA256

268552c2ffe8fbb6b8a2244ce2931ca115a4057d74bfb72fc7ba91b95d95ac63
SHA512

7f1421afb65de1d60dfe5515a497b9d3c1b4c94f827d85604fa8106c0b69162f4a95463d4dd9c34b1eeb69a55ecdedce175bc938985d5a4b141e6a5b89c202df
SSDEEP

12288:x7oQgKZ/nXt7virmWhlGLaQYI1N6kowFheAjRjWf2yS/nhkehKuk5p/kAJF4JzrM:xLvFhecWf2bky0/P45rAQfWeQkNs

Score

10^/10

formbook w086 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

w086

Decoy

F6jSz+l9QmYXguG/xUipf/6ixrik

cQZre8twfBVOOJgLenGTGA==

pG5kW2/wqwEOCVxZ

KORXeYwt7wF8J3BR

HL0ZdBMjeHet

TR57b4Yi6wJ8J3BR

fRyK2yaqeDRGHiQTTw==

RwhsqfRxABNZS59wenGTGA==

GuZaY4H4ahcWKjUdVg==

I5C4/Wyz3fglj+o=

Te5QPEu3NjZ0P58LenGTGA==

M9YJLwifZIi9pfnj2Nj/kA6+ZlU=

c/JFdRndG8f/HiQTTw==

nMmcD1UjeHet

QWR7+9Rh8/l8J3BR

9MD+BzOyI6mXtM4w6LMyEA==

WABgaYPqdJzl2TviGbdH

02OexRebqj3+U2kXhQ0=

j17M2R3/fQwFHiQTTw==

dQpReYss5/l8J3BR

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exe

description pid process target process

PID 1048 set thread context of 620 1048 bd811d9e445bb6882d2864faaf80f668.exe bd811d9e445bb6882d2864faaf80f668.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exe

pid process

620 bd811d9e445bb6882d2864faaf80f668.exe

description	pid	process	target process
PID 1048 set thread context of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe

pid	process
620	bd811d9e445bb6882d2864faaf80f668.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exe

description	pid	process	target process
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 1048 wrote to memory of 620	1048	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe

C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe
"C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1048

C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe
"C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:620

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/620-64-0x00000000004012B0-mapping.dmp

Download
memory/620-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/620-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/620-68-0x00000000009C0000-0x0000000000CC3000-memory.dmp

Filesize
3.0MB

Download
memory/1048-55-0x00000000759F1000-0x00000000759F3000-memory.dmp

Filesize
8KB

Download
memory/1048-56-0x0000000000850000-0x0000000000866000-memory.dmp

Filesize
88KB

Download
memory/1048-57-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/1048-58-0x0000000007E70000-0x0000000007F0A000-memory.dmp

Filesize
616KB

Download
memory/1048-59-0x0000000005D80000-0x0000000005DE0000-memory.dmp

Filesize
384KB

Download
memory/1048-54-0x0000000000EC0000-0x0000000000FA6000-memory.dmp

Filesize
920KB

Download