formbook | 6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae

Analysis

max time kernel
46s
max time network
46s
platform
windows7_x64
resource
win7-20220901-en
resource tags

arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
submitted
08-12-2022 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
Size

1014KB
MD5

82d72b9f11196d6a4c1da56621aa747f
SHA1

0cb896439279030d2b3660751d110c909560290f
SHA256

6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae
SHA512

dfe2a38d0ef2bd50a8df77930362b35f02414243d72692cbbd3193cbb256dc790f8961b9109fd07fbf1f59d3417c253a18c3cb88b74b78fcdbaba07da7b603e3
SSDEEP

24576:DibznTknEBNx+te3lcvM2wv8Hbdf3yT+L74mBfNUstzo:DwngEBOte3qvTuMdf3

Score

10^/10

formbook u2t4 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

u2t4

Decoy

is0/Kr2pwzJzsQ==

Br+Y1UJXBRwi

3xyPgizUdKz09BsETkl8og==

ze1TAoMAaDPX/7U=

UVOHbw2GAq+PuIWSsQ==

OFq93KpeAiRsF44pjf8c

UjleSFYu2ROPbM8guwc/3jgL5FIc2g==

ow7s/hPgGLjvqwpJxQRltDRE

3OpfZ+axwzJzsQ==

pL9MWhCRBLWPkHMroyxnEnVM

EkLh+4L0Zn/kqj3SzhKGlog=

7WFAPUAKqMzaOaf3h/0jUEsP5FIc2g==

Npp5j75QZShZGHHS0xKGlog=

TzqeenZDdYzTtA==

YZgC6XhkQ/MxdomLwxKGlog=

gZsaHLeQT/1Yl4FYhfAKLV/kkbg=

6jTksbcyDbLMEbkU

RlKKaAnhnksyMwR/mB9umKUWjocoa24=

oDtW4wgWu8cPx93u0AqTK2A7QzRM

JyJyIEb6tH/4mdvroC9pDnIi5FIc2g==

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

description	pid	process	target process
PID 832 set thread context of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

pid process

580 6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

pid	process
580	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

description	pid	process	target process
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
PID 832 wrote to memory of 580	832	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe	6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe

C:\Users\Admin\AppData\Local\Temp\6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
"C:\Users\Admin\AppData\Local\Temp\6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:832
- C:\Users\Admin\AppData\Local\Temp\6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe
  "C:\Users\Admin\AppData\Local\Temp\6c0b46a75222d73d7c3b383335b4445ecbf1e4559b132dc64a291929128c04ae.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/580-64-0x00000000004012B0-mapping.dmp

Download
memory/580-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/580-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/580-68-0x0000000000CA0000-0x0000000000FA3000-memory.dmp

Filesize
3.0MB

Download
memory/832-55-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

Filesize
8KB

Download
memory/832-56-0x0000000000490000-0x00000000004A8000-memory.dmp

Filesize
96KB

Download
memory/832-57-0x00000000004B0000-0x00000000004BC000-memory.dmp

Filesize
48KB

Download
memory/832-58-0x0000000007E40000-0x0000000007EF4000-memory.dmp

Filesize
720KB

Download
memory/832-59-0x0000000007F60000-0x0000000007FDC000-memory.dmp

Filesize
496KB

Download
memory/832-54-0x0000000000B90000-0x0000000000C94000-memory.dmp

Filesize
1.0MB

Download