formbook | ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9

Analysis

max time kernel
106s
max time network
44s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 12:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
Size

808KB
MD5

e5aec87031becb8f74adc6a244a4965c
SHA1

ca92401e68c6a65d863303235a018538b91e3422
SHA256

ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9
SHA512

fbd97279ae3b02bb039f09475bf6e68893a0ab7b370fae28091688d0201cc025b83ca581f507adc00251c4ec6bbb7dc3960a66ed9183ef412420ab61606b2d4b
SSDEEP

24576:Zr18+L74mBfNUstzouz7Wouu6YlLH03r8JN:ZrrTnUI

Score

10^/10

formbook c43g rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

c43g

Decoy

TJbzc715oMJyvdR2QVKD7Vo0tQY7R7Ey8A==

s0SBKHqd+pu4ExyvcX8DH+EhBZk7og==

dIFcsOkaySIJIw==

nvCLvSBIvt/XA8toCA05klSmSCs=

eAuSnrNfn/zh//Q=

9gFqr+CHySIJIw==

UND1oatxstSL8/uia5b4L9sa

EE2Wu7NkmKhw6dWD/ZrV

pTc3sxUsdqBbV7mgf6U=

bOoXvKs7MlJ2sCC93H0u0w==

fYSulyhLySIJIw==

Ud0T4Sdau9HjE5WDHTLV

x1ogw5IzvNLn

a6Utc6622e7N7rKV7g3E

e8rnBl+SJgun5NdyTaaLWEbEySM=

sjRR7uGCkOl33+w=

FWLaFz7vG7RHTvemab6vBYM=

KKdNclzjyFxvW7mgf6U=

6lpaaOHCJSk=

RaGqPzng+SYHWbHDFmuS0Q==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

description	pid	process	target process
PID 2020 set thread context of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

pid process

1760 ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

pid	process
1760	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

description	pid	process	target process
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
PID 2020 wrote to memory of 1760	2020	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe	ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe

C:\Users\Admin\AppData\Local\Temp\ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
"C:\Users\Admin\AppData\Local\Temp\ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe
  "C:\Users\Admin\AppData\Local\Temp\ff9cb8f0b77b8627aff748b0c47ff83e52fdcce328283191a0284a7abdd4c9c9.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1760

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1760-64-0x00000000004012B0-mapping.dmp

Download
memory/1760-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-69-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1760-68-0x00000000008B0000-0x0000000000BB3000-memory.dmp

Filesize
3.0MB

Download
memory/1760-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1760-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1760-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2020-55-0x0000000075451000-0x0000000075453000-memory.dmp

Filesize
8KB

Download
memory/2020-54-0x0000000000C60000-0x0000000000D30000-memory.dmp

Filesize
832KB

Download
memory/2020-59-0x0000000002130000-0x0000000002164000-memory.dmp

Filesize
208KB

Download
memory/2020-58-0x0000000004F10000-0x0000000004F80000-memory.dmp

Filesize
448KB

Download
memory/2020-57-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2020-56-0x0000000000340000-0x0000000000358000-memory.dmp

Filesize
96KB

Download