formbook | 3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e

Analysis

max time kernel
64s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 11:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
Size

1.0MB
MD5

6be4ed58ccaac533af70b264d7132bac
SHA1

0084169c3f9e4acef3917f29873f81d7474bcd82
SHA256

3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e
SHA512

4e51bca0bd135f3800371481121c439b3a138fb90e70f7a50b66811940199e34f35cddabaff64fcacab5c45d9544844bd34eb4e29c8fce72bbd7bc8bec4c6743
SSDEEP

12288:rXWgh/PsZ1DX/VDJIhp+dTjmuYqfaIGU0MgXo5BASa37dI6R82HOC7:rWgh/P9h2ugJhLASaW6R82HOs

Score

10^/10

formbook wu27 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

wu27

Decoy

69/AbbgufRx7loCQ5G4WYQ==

uydiDFvHsFxlIrdq

NBlmCe8ii+DEa2ye5G4WYQ==

LicGnHCl/UZ2UMg=

e2lQ8e1lsXvAeX+U5G4WYQ==

2bF/M54rOGusdYqc5G4WYQ==

mQLidD9i82JIsrqysw==

ZdlDYrcsl/L9eH+U5G4WYQ==

80ucyjCJdqXkcNI=

/eg6aKbVvNkwOcxzZyAx3cCTN5E=

lflaF0MvE+fHXoWmrg==

qRfykIXbxMkND1kwe3I=

s6iSNSVOMwnpvFDxdFLlOfqBMw==

imkLObSlIdc=

oBUBm36yNaZ99JYxenA=

ngFE7+IP8Te6N75o

O6Htl8Oyjb0Msrqysw==

f4JgCEnC0LEC9w==

9+dNeq/hVxaAhxzT1pbgzZ2mb3Nf

980jQpYF3y1wMomLfWU=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

description	pid	process	target process
PID 584 set thread context of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

pid process

960 3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

pid	process
960	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

description	pid	process	target process
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
PID 584 wrote to memory of 960	584	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe	3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe

C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
"C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:584
- C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe
  "C:\Users\Admin\AppData\Local\Temp\3f208f220000f38395c96a06011496d755e7f4932a037ac08f884dbe81462a0e.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:960

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/584-54-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/584-55-0x0000000075B11000-0x0000000075B13000-memory.dmp

Filesize
8KB

Download
memory/584-56-0x0000000000280000-0x0000000000298000-memory.dmp

Filesize
96KB

Download
memory/584-57-0x0000000000210000-0x000000000021C000-memory.dmp

Filesize
48KB

Download
memory/584-58-0x00000000048E0000-0x0000000004950000-memory.dmp

Filesize
448KB

Download
memory/584-59-0x0000000005660000-0x0000000005694000-memory.dmp

Filesize
208KB

Download
memory/960-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-64-0x00000000004012B0-mapping.dmp

Download
memory/960-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/960-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/960-68-0x0000000000B80000-0x0000000000E83000-memory.dmp

Filesize
3.0MB

Download