formbook | 1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8

Analysis

max time kernel
202s
max time network
232s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
09-12-2022 02:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
Size

917KB
MD5

44fddb518fe7ae56bb6e7fc5cc75c074
SHA1

4aaad642633b7db923609560605bdce4545c8fb0
SHA256

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8
SHA512

72a152d732220c2d058b51b2c29fa7fa111548685d09dcbd468df9027588a60f3267b25cdf0e33e07bae8916c8d39b52699afc2b23d5ba95671ef72c132f497f
SSDEEP

12288:Q15pBBGRYdw/oZqClyzSOiyvUvLYRWqbtyZp6CHOJ4:yB0RY6bClfOiy8zTqbgL

Score

10^/10

formbook fcoz rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

fcoz

Decoy

MRP2++cHUPX9S/s=

WxagP+lDZe+e6rpChgFM3hi55Ojp

E9CIE0ss7RCbbu6iub8MJA==

iDn2ZqCzgaIw5IzW7E+SIFQ=

WajMuVFpZa01

eTOps+XHXWOPYRvUCQ==

GQj+Frw0vpbNJv8rUYyICjKS/UcDF3sw

eVYV85c8Dn4m

djkEcIZdz3iZ/7Wi4TG4wVw=

AtuAHS0J0JobAA==

wKN6UwVvlDczjD8FdsoVw1km

x5Ri/y4W2NHxaBSLs/kUdF4qkA==

7dtvTkQwrkT4FA8/cNDcTD8giQ==

Px3MU3dWITVuEnx9FuBbp9Qu

GBG1iCauLeYRoEB+wUo=

18JEUX9i8d0Bk31Lc53jABkkGDI=

gGMB3ZT6Q+GSmpC2+TeqPmtKOTo=

iGc/1QL48TRz0bu05TG4wVw=

B+l6VT8enZN3CvM=

zJNOq6BsLWPerVmK0R5bp9Qu

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

Processes:

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

description	pid	process	target process
PID 1380 set thread context of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

pid	process
3380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
3380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

description	pid	process	target process
PID 1380 wrote to memory of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1380 wrote to memory of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1380 wrote to memory of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1380 wrote to memory of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1380 wrote to memory of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
PID 1380 wrote to memory of 3380	1380	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe	1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe

C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
"C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1380

C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe
"C:\Users\Admin\AppData\Local\Temp\1756b3146d41b5bc8ba9812d3cd84915c65789abddd9e47be379122d95ae1bb8.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3380

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1380-132-0x0000000000120000-0x000000000020C000-memory.dmp

Filesize
944KB

Download
memory/1380-133-0x00000000051A0000-0x0000000005744000-memory.dmp

Filesize
5.6MB

Download
memory/1380-134-0x0000000004BF0000-0x0000000004C82000-memory.dmp

Filesize
584KB

Download
memory/1380-135-0x0000000004BA0000-0x0000000004BAA000-memory.dmp

Filesize
40KB

Download
memory/1380-136-0x0000000006E00000-0x0000000006E9C000-memory.dmp

Filesize
624KB

Download
memory/1380-137-0x0000000006EA0000-0x0000000006F06000-memory.dmp

Filesize
408KB

Download
memory/3380-138-0x0000000000000000-mapping.dmp

Download
memory/3380-139-0x0000000000400000-0x000000000042D000-memory.dmp

Filesize
180KB

Download
memory/3380-140-0x0000000000F70000-0x00000000012BA000-memory.dmp

Filesize
3.3MB

Download