formbook | 268552c2ffe8fbb6b8a2244ce2931ca115a4057d74bfb72fc7ba91b95d95ac63

Analysis

max time kernel
156s
max time network
179s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07-12-2022 12:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd811d9e445bb6882d2864faaf80f668.exe
Size

897KB
MD5

bd811d9e445bb6882d2864faaf80f668
SHA1

1ee49be423203c7034a6189b0364abfab6e02036
SHA256

268552c2ffe8fbb6b8a2244ce2931ca115a4057d74bfb72fc7ba91b95d95ac63
SHA512

7f1421afb65de1d60dfe5515a497b9d3c1b4c94f827d85604fa8106c0b69162f4a95463d4dd9c34b1eeb69a55ecdedce175bc938985d5a4b141e6a5b89c202df
SSDEEP

12288:x7oQgKZ/nXt7virmWhlGLaQYI1N6kowFheAjRjWf2yS/nhkehKuk5p/kAJF4JzrM:xLvFhecWf2bky0/P45rAQfWeQkNs

Score

10^/10

formbook w086 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

w086

Decoy

F6jSz+l9QmYXguG/xUipf/6ixrik

cQZre8twfBVOOJgLenGTGA==

pG5kW2/wqwEOCVxZ

KORXeYwt7wF8J3BR

HL0ZdBMjeHet

TR57b4Yi6wJ8J3BR

fRyK2yaqeDRGHiQTTw==

RwhsqfRxABNZS59wenGTGA==

GuZaY4H4ahcWKjUdVg==

I5C4/Wyz3fglj+o=

Te5QPEu3NjZ0P58LenGTGA==

M9YJLwifZIi9pfnj2Nj/kA6+ZlU=

c/JFdRndG8f/HiQTTw==

nMmcD1UjeHet

QWR7+9Rh8/l8J3BR

9MD+BzOyI6mXtM4w6LMyEA==

WABgaYPqdJzl2TviGbdH

02OexRebqj3+U2kXhQ0=

j17M2R3/fQwFHiQTTw==

dQpReYss5/l8J3BR

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook
Suspicious use of SetThreadContext 1 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exe

description pid process target process

PID 2176 set thread context of 1308 2176 bd811d9e445bb6882d2864faaf80f668.exe bd811d9e445bb6882d2864faaf80f668.exe

description	pid	process	target process
PID 2176 set thread context of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exebd811d9e445bb6882d2864faaf80f668.exe

pid	process
2176	bd811d9e445bb6882d2864faaf80f668.exe
2176	bd811d9e445bb6882d2864faaf80f668.exe
2176	bd811d9e445bb6882d2864faaf80f668.exe
2176	bd811d9e445bb6882d2864faaf80f668.exe
1308	bd811d9e445bb6882d2864faaf80f668.exe
1308	bd811d9e445bb6882d2864faaf80f668.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exe

description pid process

Token: SeDebugPrivilege 2176 bd811d9e445bb6882d2864faaf80f668.exe

description	pid	process
Token: SeDebugPrivilege	2176	bd811d9e445bb6882d2864faaf80f668.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

bd811d9e445bb6882d2864faaf80f668.exe

description	pid	process	target process
PID 2176 wrote to memory of 392	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 392	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 392	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1948	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1948	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1948	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe
PID 2176 wrote to memory of 1308	2176	bd811d9e445bb6882d2864faaf80f668.exe	bd811d9e445bb6882d2864faaf80f668.exe

C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe
"C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176

C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe
"C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe"
2⤵
PID:392

C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe
"C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe"
2⤵
PID:1948

C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe
"C:\Users\Admin\AppData\Local\Temp\bd811d9e445bb6882d2864faaf80f668.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1308

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/392-137-0x0000000000000000-mapping.dmp

Download
memory/1308-139-0x0000000000000000-mapping.dmp

Download
memory/1308-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1308-143-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1308-144-0x0000000001810000-0x0000000001B5A000-memory.dmp

Filesize
3.3MB

Download
memory/1948-138-0x0000000000000000-mapping.dmp

Download
memory/2176-132-0x0000000000870000-0x0000000000956000-memory.dmp

Filesize
920KB

Download
memory/2176-133-0x0000000005A20000-0x0000000005FC4000-memory.dmp

Filesize
5.6MB

Download
memory/2176-134-0x0000000005310000-0x00000000053A2000-memory.dmp

Filesize
584KB

Download
memory/2176-135-0x00000000052F0000-0x00000000052FA000-memory.dmp

Filesize
40KB

Download
memory/2176-136-0x0000000005470000-0x000000000550C000-memory.dmp

Filesize
624KB

Download