Overview

overview

10

Static

static

6b0128e753...5e.exe

windows7_x64

10

6b0128e753...5e.exe

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6b0128e753b4c8eb55a0726dbdbbf35e.exe

  • Size

    1.0MB

  • MD5

    6b0128e753b4c8eb55a0726dbdbbf35e

  • SHA1

    12ab2a6cb7c26acad4ba209bafdb6fd2ff33523b

  • SHA256

    0ae22d4877231b64b2e9e1252bbe8636ea43fe5692ca899733e715ccfc82e224

  • SHA512

    152e90baebb510c397a7625ec9295ea806d4c233b00df8a938c9f62ea5966f88873b26558cb03131ba992ce7713704b2f2aeb90394bf46355eb6f16d119932f7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.zglvyouzaixian.com/nki/

Decoy

igo-digiworld.com

infrahiit.com

herhealingwater.com

inspiredbytradition.com

onlinepropertyworld.com

rvwdj.com

mudahbikinsuhi.online

multipleofferonline.com

striveyouthministry.com

affectiveneuro.net

f21m.com

perfumefashion.icu

instantcash4rvs.com

help-verifiedbadge.com

solomonislandsblog.com

vipshoppingwizard.com

doggybargains.com

fjyaoxi.net

luxpropertyandassociates.com

companyfinders.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe
    "C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3008
    • C:\Users\Admin\AppData\Local\Temp\6b0128e753b4c8eb55a0726dbdbbf35e.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2532

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2532-11-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2532-12-0x000000000041EB70-mapping.dmp
    Download
  • memory/3008-2-0x00000000733A0000-0x0000000073A8E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3008-3-0x0000000000DA0000-0x0000000000DA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3008-5-0x0000000008040000-0x0000000008041000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3008-6-0x0000000007BE0000-0x0000000007BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3008-7-0x0000000007BC0000-0x0000000007BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3008-8-0x0000000007E10000-0x0000000007E1E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3008-9-0x0000000001760000-0x00000000017E1000-memory.dmp
    Filesize

    516KB

    Download
  • memory/3008-10-0x00000000099E0000-0x00000000099E1000-memory.dmp
    Filesize

    4KB

    Download