formbook | 34c78648a400263531a09c99c5979b2520b7705bede0b48773cd2ec5cb88cdd7

Analysis

max time kernel
139s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6546a7ea064c3d9f64088e019d9886f58524c335.exe
Size

836KB
MD5

8ba209a4fa3662aa0bbe28789524a293
SHA1

6546a7ea064c3d9f64088e019d9886f58524c335
SHA256

34c78648a400263531a09c99c5979b2520b7705bede0b48773cd2ec5cb88cdd7
SHA512

18ce206118e2bf27469afbdf275b99fc611028cb01c468405e9362725896954b5417ae7e72869b50e5489663b44a4b0bbfdeb93eb66afcf2b7ca7e4e2f4d65f4
SSDEEP

12288:kF1ptxzc/f9C80BNM1o3t64Vhe7VulmSb9kLON9b5Wx:mnz2fE80BS1o3t5Vs7bqVN9k

Score

10^/10

formbook g44n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

g44n

Decoy

t60gB4YRvsDLttd9HG4=

xck8G7COQ+g7VIpX

BQQF3mmpLPskhQ==

eLWwmzNyK6ee+nF1jDvvkxuSGA==

3tlgNOzw8BBjpNOQMnc=

nOpNEJhoU0h+00S9E1YfgA==

xcvTpljkjIyEdvhp+VcGFtJC

bZxOHr5CtzY4

rOD304X0u1DN/m7cbA==

Knixl0HJyEOOiNckwk8GFtJC

S4JMDRNTUAol

Vp9wSwNZSfY7VIpX

0Nf/zlrpmpahnM+tpkYGFtJC

joXsuHiBcVp88DHEHMA7

yN8i9ppoZYHSSaqqk6NZnQ==

4UFEMfyKhSB4UovzjdabqolwhFtMH1M=

d3RiRcXCeR8wlgjEHMA7

eMUS8PSBPCe2rPg=

LCsR0X328UuSAmlf

/keifSXopayqjLt1EWQ=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3448 set thread context of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe
3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe
3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe
3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe
4792	6546a7ea064c3d9f64088e019d9886f58524c335.exe
4792	6546a7ea064c3d9f64088e019d9886f58524c335.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 3448 wrote to memory of 4316	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	91
PID 3448 wrote to memory of 4316	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	91
PID 3448 wrote to memory of 4316	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	91
PID 3448 wrote to memory of 2312	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	92
PID 3448 wrote to memory of 2312	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	92
PID 3448 wrote to memory of 2312	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	92
PID 3448 wrote to memory of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93
PID 3448 wrote to memory of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93
PID 3448 wrote to memory of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93
PID 3448 wrote to memory of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93
PID 3448 wrote to memory of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93
PID 3448 wrote to memory of 4792	3448	6546a7ea064c3d9f64088e019d9886f58524c335.exe	93

C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
"C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3448
- C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
  "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
  2⤵
  PID:4316
- C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
  "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
  2⤵
  PID:2312
- C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
  "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3448-132-0x0000000000470000-0x0000000000544000-memory.dmp

Filesize
848KB

Download
memory/3448-133-0x00000000055F0000-0x0000000005B94000-memory.dmp

Filesize
5.6MB

Download
memory/3448-134-0x0000000004EE0000-0x0000000004F72000-memory.dmp

Filesize
584KB

Download
memory/3448-135-0x0000000004FB0000-0x0000000004FBA000-memory.dmp

Filesize
40KB

Download
memory/3448-136-0x0000000009090000-0x000000000912C000-memory.dmp

Filesize
624KB

Download
memory/4792-140-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-142-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4792-143-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/4792-144-0x0000000001250000-0x000000000159A000-memory.dmp

Filesize
3.3MB

Download