formbook | 71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42

Analysis

max time kernel
47s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
07-12-2022 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
Size

615KB
MD5

f5f1fe50baeaa8103aaa723ddcbc7eb2
SHA1

81cae721012ae3d859210d708182bc0af4772772
SHA256

71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42
SHA512

3dae926dd42fcf73d0636a0aa80e897a5ad33553757a1108a34b773a7457bb74524a7cde2f68d2cca394bde15db84c4b7db683546b32f4354facbe5f0501329c
SSDEEP

12288:QJvylmTMGbO6JVWAeiwWG2zVj/b5CeK75/o3o5TP107kyLL1XXMQ:Wv2mTMGbr/zNoeqq0TaoyLJnM

Score

10^/10

formbook e7nb rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

e7nb

Decoy

PsTzh30CVEdk

lubNs/ediiAunBs=

508fP8IdRzd/

U549ZBc72VO65OOIBgw=

Zrhzpl05MNXVsnltXG7VJcZMaQ==

PHkdSJEyEOSxOwb6W0mv9ciuW+ybmQMt

uirizUluo2S80tubABs=

NSBqCst2TQsoCuPQCWrVJcZMaQ==

XgULikLb6PkeOubi

5YBDKpVGIrvCFbOc3Q==

8DbiHNWtmTAyw1YsjH/lL8TpimUu8ygl

nxj1I6Op1IGJVRbN7gpx

0KvxaFuA6cBryzDH1Lni7s9W

1rS3Dk9oxD/fRA==

eMFF9fHMPRZFILKx5WCRng==

pMxC7OGKd0jbCYRVMHnbFur1N+DU

nZzNQDhdyK5hEL2QkPhrtYVHz7k62Y0=

siXP5iXuAcxnhZBayg==

dP6jOfGxmFQDW+zPoDtnpnY=

MidVv6GxFvuwx5R5/w4=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

description	pid	process	target process
PID 1836 set thread context of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

pid process

1216 71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

pid	process
1216	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

description	pid	process	target process
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
PID 1836 wrote to memory of 1216	1836	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe	71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe

C:\Users\Admin\AppData\Local\Temp\71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
"C:\Users\Admin\AppData\Local\Temp\71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1836

C:\Users\Admin\AppData\Local\Temp\71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe
"C:\Users\Admin\AppData\Local\Temp\71dcac38a6bf66dfc49a933ccfcf01bfce78edc276d11ac181b2924ebf0b9e42.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1216

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1216-64-0x00000000004012B0-mapping.dmp

Download
memory/1216-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1216-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1216-68-0x0000000000970000-0x0000000000C73000-memory.dmp

Filesize
3.0MB

Download
memory/1836-55-0x0000000075771000-0x0000000075773000-memory.dmp

Filesize
8KB

Download
memory/1836-56-0x00000000004A0000-0x00000000004B8000-memory.dmp

Filesize
96KB

Download
memory/1836-57-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/1836-58-0x0000000007E70000-0x0000000007EF0000-memory.dmp

Filesize
512KB

Download
memory/1836-59-0x0000000000B50000-0x0000000000B96000-memory.dmp

Filesize
280KB

Download
memory/1836-54-0x0000000001220000-0x00000000012C0000-memory.dmp

Filesize
640KB

Download