formbook | 984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05

Analysis

max time kernel
57s
max time network
43s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 12:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
Size

697KB
MD5

acc14200ecd88fb0e18ac6aacf4c32d3
SHA1

a8d5a6b73167bdf6a0394e8f4f244b5195f782fb
SHA256

984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05
SHA512

2ea790cb57c3f43cca57e5142f0f1bc56fe710f7cb3bfee21a3003fa23467a721abc5507f8b3af436944779a0a64f61950c543f94cebe63f2e0c02bb7e3d07f7
SSDEEP

12288:Orugh/PsZ1DX/VDJJc9awH9vqc3cixdzjVDn4L/ITqMZFUd:eugh/PJ4w5JtJZU/MqZd

Score

10^/10

formbook d8ax rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

d8ax

Decoy

wQDD4HkJc+vErnk=

j7vdn039QTY5Gcs43SDb8R4gwLgFCI7s

ZqPN0enMl4As

kKK00fOMq6KZmHv6kZjEiTm3l1o=

CxCTti/0Dcs5qly/AVHoTg==

5TwVtD3wcevErnk=

/ieoWNXMl4As

caK67QvHGhmiEuKpidX2RA==

Bbyy3J6D1Qw=

LV5N2gOocvpbA/OB/w==

k7k2OMNsBY67libDOi4=

wuDokhS1jLo4mA==

RVGz6anMl4As

la40BCHFwoI/rpugbdoaWQ==

XmVnfY0nNACG5si5u8Ds6F79xw==

dpyQTuytl0/bShsFIYUaHRzIL4quYwxgTA==

yvmesDDPpTSrLhf5GlvvdaCZekhAsg==

obTEXhervaSWkSbDOi4=

ClZogXcOT1DcPyvgOKJM

Drlokv/cjLo4mA==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

description	pid	process	target process
PID 1516 set thread context of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

pid process

1504 984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

pid	process
1504	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

description	pid	process	target process
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
PID 1516 wrote to memory of 1504	1516	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe	984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe

C:\Users\Admin\AppData\Local\Temp\984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
"C:\Users\Admin\AppData\Local\Temp\984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1516

C:\Users\Admin\AppData\Local\Temp\984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe
"C:\Users\Admin\AppData\Local\Temp\984a9449ed9070e40a86c6b5ab4a3ae6e0df87d9b316e26db7e876942b3b2f05.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1504

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-64-0x00000000004012B0-mapping.dmp

Download
memory/1504-60-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1504-61-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1504-63-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1504-66-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1504-67-0x0000000000401000-0x000000000042E000-memory.dmp

Filesize
180KB

Download
memory/1504-68-0x0000000000DF0000-0x00000000010F3000-memory.dmp

Filesize
3.0MB

Download
memory/1516-55-0x0000000075841000-0x0000000075843000-memory.dmp

Filesize
8KB

Download
memory/1516-56-0x0000000000220000-0x0000000000238000-memory.dmp

Filesize
96KB

Download
memory/1516-57-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1516-58-0x0000000005080000-0x00000000050F0000-memory.dmp

Filesize
448KB

Download
memory/1516-59-0x00000000004B0000-0x00000000004E4000-memory.dmp

Filesize
208KB

Download
memory/1516-54-0x0000000000D30000-0x0000000000DE4000-memory.dmp

Filesize
720KB

Download