formbook | 67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54

Analysis

max time kernel
49s
max time network
46s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 13:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
Size

722KB
MD5

5389f9758ef51d3f6963d6784423da90
SHA1

4ba859dd7f254f2dd6f304890c089b6dda366d42
SHA256

67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54
SHA512

8bdda2de26868d3ac392a4b2273a9bb9365abca72a1b345c87bca63a8d9913e36e37f0533e66d1794ef8b53217c8775cb6ff85d64570ca5f9722fc39127869cf
SSDEEP

12288:v6kdcF8I4ycMJwjgF9qgz/A5VW+HZ1BnM33302IgFJN0V3fo0cjZnbCkI:fu8I4y8jgrqoA5QUnBnG30YCoFjZnbCx

Score

10^/10

formbook 0rft rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

0rft

Decoy

ouhzmTAhN++kgdVvcoAL+ukx7FI=

b/AAsl7j+poCqvsdhQ==

geqhPAMFrNJcHSaYr8Lk

P8N3+6G7Ut/X8wc3

t/OMzJS7R93X8wc3

VwX08ydDu1/ynVc2h/2WBUKHbA==

+ekVLl+umTTBqvsdhQ==

Vcaa12iRzI3+qvsdhQ==

dDIqvVJ9I8ah7fw/Xd4=

p6Xf5u8jI0hYw8hkX9fyQMciqgvG

erJhSR5/Nmn3qvsdhQ==

STdhWvnj9qxWHJ+aQMY=

wMotTfVO6w67i3T9UHemYQ==

ERs8NVCBapjX8wc3

OfIIrnWzp9LjSR+Setj6PqYCng7M

vnh5JHz4WxNQ

iQLl01OIh7/eoT9gABSsdg==

K7Z0BcT7mTuWc3e6U7eHty7YlHt0Qw==

kEJBNFGFf16ie70=

qibJ119LdV6ie70=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

description	pid	process	target process
PID 856 set thread context of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

pid process

1608 67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

pid	process
1608	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

description	pid	process	target process
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
PID 856 wrote to memory of 1608	856	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe	67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe

C:\Users\Admin\AppData\Local\Temp\67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
"C:\Users\Admin\AppData\Local\Temp\67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:856
- C:\Users\Admin\AppData\Local\Temp\67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe
  "C:\Users\Admin\AppData\Local\Temp\67e92bb97c0fc0b8a96b9fd2a0f55a0f82f9966f22824f4edc639b0370549a54.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/856-54-0x0000000001070000-0x000000000112A000-memory.dmp

Filesize
744KB

Download
memory/856-55-0x0000000075931000-0x0000000075933000-memory.dmp

Filesize
8KB

Download
memory/856-56-0x0000000000450000-0x0000000000468000-memory.dmp

Filesize
96KB

Download
memory/856-57-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/856-58-0x0000000005100000-0x0000000005170000-memory.dmp

Filesize
448KB

Download
memory/856-59-0x0000000000C90000-0x0000000000CC6000-memory.dmp

Filesize
216KB

Download
memory/1608-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-64-0x00000000004012B0-mapping.dmp

Download
memory/1608-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1608-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1608-68-0x0000000000890000-0x0000000000B93000-memory.dmp

Filesize
3.0MB

Download