formbook | 34c78648a400263531a09c99c5979b2520b7705bede0b48773cd2ec5cb88cdd7

Analysis

max time kernel
43s
max time network
45s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
04/01/2023, 07:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6546a7ea064c3d9f64088e019d9886f58524c335.exe
Size

836KB
MD5

8ba209a4fa3662aa0bbe28789524a293
SHA1

6546a7ea064c3d9f64088e019d9886f58524c335
SHA256

34c78648a400263531a09c99c5979b2520b7705bede0b48773cd2ec5cb88cdd7
SHA512

18ce206118e2bf27469afbdf275b99fc611028cb01c468405e9362725896954b5417ae7e72869b50e5489663b44a4b0bbfdeb93eb66afcf2b7ca7e4e2f4d65f4
SSDEEP

12288:kF1ptxzc/f9C80BNM1o3t64Vhe7VulmSb9kLON9b5Wx:mnz2fE80BS1o3t5Vs7bqVN9k

Score

10^/10

formbook g44n rat spyware stealer trojan

Malware Config

Extracted

Family

formbook

Campaign

g44n

Decoy

t60gB4YRvsDLttd9HG4=

xck8G7COQ+g7VIpX

BQQF3mmpLPskhQ==

eLWwmzNyK6ee+nF1jDvvkxuSGA==

3tlgNOzw8BBjpNOQMnc=

nOpNEJhoU0h+00S9E1YfgA==

xcvTpljkjIyEdvhp+VcGFtJC

bZxOHr5CtzY4

rOD304X0u1DN/m7cbA==

Knixl0HJyEOOiNckwk8GFtJC

S4JMDRNTUAol

Vp9wSwNZSfY7VIpX

0Nf/zlrpmpahnM+tpkYGFtJC

joXsuHiBcVp88DHEHMA7

yN8i9ppoZYHSSaqqk6NZnQ==

4UFEMfyKhSB4UovzjdabqolwhFtMH1M=

d3RiRcXCeR8wlgjEHMA7

eMUS8PSBPCe2rPg=

LCsR0X328UuSAmlf

/keifSXopayqjLt1EWQ=

Signatures

Formbook
Formbook is a data stealing malware which is capable of stealing data.
trojan spyware stealer formbook

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1636 set thread context of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1496	6546a7ea064c3d9f64088e019d9886f58524c335.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28
PID 1636 wrote to memory of 1496	1636	6546a7ea064c3d9f64088e019d9886f58524c335.exe	28

C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
"C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1636
- C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe
  "C:\Users\Admin\AppData\Local\Temp\6546a7ea064c3d9f64088e019d9886f58524c335.exe"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1496

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-63-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-60-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-61-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-66-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/1496-67-0x0000000000401000-0x000000000042F000-memory.dmp

Filesize
184KB

Download
memory/1496-68-0x0000000000800000-0x0000000000B03000-memory.dmp

Filesize
3.0MB

Download
memory/1636-55-0x00000000762F1000-0x00000000762F3000-memory.dmp

Filesize
8KB

Download
memory/1636-56-0x0000000000350000-0x0000000000360000-memory.dmp

Filesize
64KB

Download
memory/1636-57-0x0000000000820000-0x000000000082A000-memory.dmp

Filesize
40KB

Download
memory/1636-58-0x0000000005DF0000-0x0000000005E86000-memory.dmp

Filesize
600KB

Download
memory/1636-59-0x0000000004870000-0x00000000048CC000-memory.dmp

Filesize
368KB

Download
memory/1636-54-0x0000000010FF0000-0x00000000110C4000-memory.dmp

Filesize
848KB

Download