formbook | 1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8

Analysis

max time kernel
91s
max time network
35s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
09-12-2022 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
Size

917KB
MD5

44fddb518fe7ae56bb6e7fc5cc75c074
SHA1

4aaad642633b7db923609560605bdce4545c8fb0
SHA256

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8
SHA512

72a152d732220c2d058b51b2c29fa7fa111548685d09dcbd468df9027588a60f3267b25cdf0e33e07bae8916c8d39b52699afc2b23d5ba95671ef72c132f497f
SSDEEP

12288:Q15pBBGRYdw/oZqClyzSOiyvUvLYRWqbtyZp6CHOJ4:yB0RY6bClfOiy8zTqbgL

Score

10^/10

formbook fcoz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fcoz

Decoy

MRP2++cHUPX9S/s=

WxagP+lDZe+e6rpChgFM3hi55Ojp

E9CIE0ss7RCbbu6iub8MJA==

iDn2ZqCzgaIw5IzW7E+SIFQ=

WajMuVFpZa01

eTOps+XHXWOPYRvUCQ==

GQj+Frw0vpbNJv8rUYyICjKS/UcDF3sw

eVYV85c8Dn4m

djkEcIZdz3iZ/7Wi4TG4wVw=

AtuAHS0J0JobAA==

wKN6UwVvlDczjD8FdsoVw1km

x5Ri/y4W2NHxaBSLs/kUdF4qkA==

7dtvTkQwrkT4FA8/cNDcTD8giQ==

Px3MU3dWITVuEnx9FuBbp9Qu

GBG1iCauLeYRoEB+wUo=

18JEUX9i8d0Bk31Lc53jABkkGDI=

gGMB3ZT6Q+GSmpC2+TeqPmtKOTo=

iGc/1QL48TRz0bu05TG4wVw=

B+l6VT8enZN3CvM=

zJNOq6BsLWPerVmK0R5bp9Qu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

description	pid	process	target process
PID 1616 set thread context of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

pid process

636 1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

pid	process
636	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

description	pid	process	target process
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1616 wrote to memory of 636	1616	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
"C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1616

C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
"C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:636

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/636-60-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-61-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-63-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/636-64-0x0000000000420440-mapping.dmp

Download
memory/636-65-0x0000000000950000-0x0000000000C53000-memory.dmp

Filesize
3.0MB

Download
memory/1616-54-0x0000000000D00000-0x0000000000DEC000-memory.dmp

Filesize
944KB

Download
memory/1616-55-0x00000000760A1000-0x00000000760A3000-memory.dmp

Filesize
8KB

Download
memory/1616-56-0x0000000000B20000-0x0000000000B3A000-memory.dmp

Filesize
104KB

Download
memory/1616-57-0x0000000000BA0000-0x0000000000BAC000-memory.dmp

Filesize
48KB

Download
memory/1616-58-0x0000000007E90000-0x0000000007F1C000-memory.dmp

Filesize
560KB

Download
memory/1616-59-0x00000000043D0000-0x0000000004402000-memory.dmp

Filesize
200KB

Download