Overview

overview

10

Static

static

6b0128e753...5e.exe

windows7_x64

10

6b0128e753...5e.exe

windows10_x64

10

Analysis

  • max time kernel
    57s
  • max time network
    56s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b0128e753b4c8eb55a0726dbdbbf35e.exe

  • Size

    1.0MB

  • MD5

    6b0128e753b4c8eb55a0726dbdbbf35e

  • SHA1

    12ab2a6cb7c26acad4ba209bafdb6fd2ff33523b

  • SHA256

    0ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224

  • SHA512

    152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.zglvyouzaixian.com/nki/

Decoy

igo-digiworld.com

infrahiit.com

herhealingwater.com

inspiredbytradition.com

onlinepropertyworld.com

rvwdj.com

mudahbikinsuhi.online

multipleofferonline.com

striveyouthministry.com

affectiveneuro.net

f21m.com

perfumefashion.icu

instantcash4rvs.com

help-verifiedbadge.com

solomonislandsblog.com

vipshoppingwizard.com

doggybargains.com

fjyaoxi.net

luxpropertyandassociates.com

companyfinders.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe
    "C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1676
    • C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe
      "{path}"
      2⤵
        PID:1664
      • C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe
        "{path}"
        2⤵
          PID:1604
        • C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe
          "{path}"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1624

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1624-7-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1624-8-0x000000000041EB70-mapping.dmp

        Download

      • memory/1676-2-0x0000000074110000-0x00000000747FE000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/1676-3-0x00000000010A0000-0x00000000010A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1676-5-0x0000000000430000-0x000000000043E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1676-6-0x0000000000230000-0x00000000002B1000-memory.dmp

        Filesize

        516KB

        Download