Overview

overview

10

Static

static

SecuriteIn...23.exe

windows7_x64

10

SecuriteIn...23.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-11-2020 16:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe

  • Size

    1.1MB

  • MD5

    38277d6e24f7210e5b8d77a337ae51d1

  • SHA1

    b31a7b97f75c7f296bef9eb6d5c2a585bf1d802d

  • SHA256

    9728048925e7faf422c4d7bacfaa90fae8bdcc9efad8a0868b456f3d4b213d09

  • SHA512

    cac75de9024dae4ee011e7957cb410ee8e79550aa37ae184371884a6495e2dd90cc1448a9248dd5ef3e7090288c3cdb5696c99dc433e42a375eaabbf0c9827f7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.mommabearmoney.com/et2d/

Decoy

wcaconline.com

travelbackpackss.com

ao-m-nishinomiya.com

tilania.com

vegbydesign.net

mybabysisterscloset.com

sanctitude-cuspidated.com

russtybeats.com

dichvubangchuan.com

su-seikatu.info

eratosantorini.com

ninetofivemama.com

delishany.com

pawchamamapet.net

nissicloud.com

strictlyotaku.net

kissmanga.pro

appalachianfx.com

aralending.com

forbrighterlife.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:416
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"
      2⤵
        PID:1648
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Variant.Bulz.229258.13751.2423.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:4052

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/416-0-0x0000000073970000-0x000000007405E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/416-1-0x0000000000C40000-0x0000000000C41000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-3-0x0000000005950000-0x0000000005951000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-4-0x0000000005EF0000-0x0000000005EF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-5-0x00000000059F0000-0x00000000059F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-6-0x0000000005910000-0x0000000005911000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-7-0x0000000005BE0000-0x0000000005BE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/416-8-0x0000000005930000-0x0000000005944000-memory.dmp
      Filesize

      80KB

      Download
    • memory/416-9-0x0000000006760000-0x00000000067C5000-memory.dmp
      Filesize

      404KB

      Download
    • memory/416-10-0x00000000067E0000-0x00000000067E6000-memory.dmp
      Filesize

      24KB

      Download
    • memory/416-11-0x0000000006800000-0x0000000006830000-memory.dmp
      Filesize

      192KB

      Download
    • memory/4052-12-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4052-13-0x000000000041ED50-mapping.dmp
      Download