Overview

overview

10

Static

static

ded1197aa5...50.exe

windows7_x64

10

ded1197aa5...50.exe

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    15s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    06-05-2021 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe

  • Size

    845KB

  • MD5

    0b39b28e51b4a0e47ebce7626cc9b79f

  • SHA1

    8f3699a7fa6abeb247f80b92f3340df05741bd7e

  • SHA256

    ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50

  • SHA512

    bebe1a1856bee0980491f742f52209fda9c64f0469f98c16098533b3b33648dd10c22c278f04f1e0db1c455385936de2d59690fe14f50031b964e54b33cb4ecc

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.thefallofthedollar.com/ocq1/

Decoy

mukadderaltintas.com

consultant-gov.com

readingroom.center

secretflux.com

diversifica.online

outervagina.com

doylespiritwear.com

musicianonwheels.com

spencer-media.com

juunoo-nord.com

sonorista.com

narenacademy.com

672461.com

swimtrue.com

wingleefruitstore.com

sailgadabout.com

dislosureservices.com

maryaab-lpc.com

thepoojastore.com

belaronconsulting.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe
    "C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1832
    • C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1640-65-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1640-66-0x000000000041ED50-mapping.dmp
    Download
  • memory/1640-68-0x0000000000B00000-0x0000000000E03000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1832-59-0x0000000000890000-0x0000000000891000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-61-0x0000000004E90000-0x0000000004E91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1832-62-0x00000000003F0000-0x00000000003F5000-memory.dmp
    Filesize

    20KB

    Download
  • memory/1832-63-0x0000000009270000-0x0000000009328000-memory.dmp
    Filesize

    736KB

    Download
  • memory/1832-64-0x0000000000350000-0x00000000003B9000-memory.dmp
    Filesize

    420KB

    Download