formbook | 0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce

Analysis

max time kernel
69s
max time network
42s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
Size

913KB
MD5

c0cb8402b1f4d35c839936512ca83cb2
SHA1

a01b85c6f3477d5870508401bf0b4b26cc141608
SHA256

0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce
SHA512

8193a8be758580126ad11eac8981c3cae68c825fe94fb46eee7a1fddf55e64c2acaa2f4fc419d677287e4694a431283861f939e7d2a9b73527f7f436501a8bda
SSDEEP

12288:tre/tfHGthrPoUWqnZL/UX/VbTNZf4H7ZbAyFncrBY:EpHGzrod8UX/VXGMNY

Score

10^/10

formbook k056 rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

k056

Decoy

I6ZtzMO4tX+tliE+qt4=

qXwc4gD7yggogn987j5wQsZnc+OhAVE=

nwnBB5b4yZzLwpZtMajutbGT

OPq8wCLHoBNRnmK+wxBDDw==

bTzuol7JkFaHt0Yjm9w=

RVb6jJxpFYSv68mTCxmjAR9EpZc=

gJYxuLCQJ8jpICAakIj5TRIz5d5nAg==

YcNluGLPr6riqCE+qt4=

7tJ2VmdlX7vg97aPDEVtyjjliIg=

oogs8ATrvjR2wK2SEURppMapY0aGKC/Z

rZNRJ05YUdcJNQHYg35h1DjliIg=

fKhsEh/trUJtfzCdkKnAf7g=

RErWQtoPxr3ZgDwd53Sg8K4FuyAbCg==

WmD0j56Vdcb7lWh/svwB

O03oaGRYI2eaNCKTl1KYpv9vXA==

mx7bLs05CuYL16R6NqzutbGT

kNZrspSqg1uq7us=

NyrglqmvhbYmdlnR0J0J

byKycKqcY9f9aQaIyg==

4apJHpfrlofCi0osmHfCAXkglo4=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

description	pid	process	target process
PID 784 set thread context of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

pid process

980 0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

pid	process
980	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

description	pid	process	target process
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
PID 784 wrote to memory of 980	784	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe	0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe

C:\Users\Admin\AppData\Local\Temp\0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
"C:\Users\Admin\AppData\Local\Temp\0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:784

C:\Users\Admin\AppData\Local\Temp\0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe
"C:\Users\Admin\AppData\Local\Temp\0b7fdf87eaef4aacb2b9443e59783840acbe87ea018c14af6601c5311261c4ce.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:980

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/784-54-0x0000000001190000-0x000000000127A000-memory.dmp

Filesize
936KB

Download
memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

Filesize
8KB

Download
memory/784-56-0x0000000000950000-0x000000000096A000-memory.dmp

Filesize
104KB

Download
memory/784-57-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/784-58-0x0000000007ED0000-0x0000000007F5C000-memory.dmp

Filesize
560KB

Download
memory/784-59-0x0000000000FD0000-0x0000000001002000-memory.dmp

Filesize
200KB

Download
memory/980-60-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/980-61-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/980-63-0x0000000000400000-0x000000000042B000-memory.dmp

Filesize
172KB

Download
memory/980-64-0x000000000041FF40-mapping.dmp

Download
memory/980-65-0x00000000008D0000-0x0000000000BD3000-memory.dmp

Filesize
3.0MB

Download