Overview

overview

10

Static

static

ded1197aa5...50.exe

windows7_x64

10

ded1197aa5...50.exe

windows10_x64

10

Analysis

  • max time kernel
    41s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-05-2021 07:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe

  • Size

    845KB

  • MD5

    0b39b28e51b4a0e47ebce7626cc9b79f

  • SHA1

    8f3699a7fa6abeb247f80b92f3340df05741bd7e

  • SHA256

    ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50

  • SHA512

    bebe1a1856bee0980491f742f52209fda9c64f0469f98c16098533b3b33648dd10c22c278f04f1e0db1c455385936de2d59690fe14f50031b964e54b33cb4ecc

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.thefallofthedollar.com/ocq1/

Decoy

mukadderaltintas.com

consultant-gov.com

readingroom.center

secretflux.com

diversifica.online

outervagina.com

doylespiritwear.com

musicianonwheels.com

spencer-media.com

juunoo-nord.com

sonorista.com

narenacademy.com

672461.com

swimtrue.com

wingleefruitstore.com

sailgadabout.com

dislosureservices.com

maryaab-lpc.com

thepoojastore.com

belaronconsulting.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe
    "C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:672
    • C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe
      "{path}"
      2⤵
        PID:3796
      • C:\Users\Admin\AppData\Local\Temp\ded1197aa570850bc8885d3f4de9e056b9a585eeee5d511a9ee7b5c7432bdc50.exe
        "{path}"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2068

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/672-114-0x0000000000E50000-0x0000000000E51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/672-116-0x0000000005EC0000-0x0000000005EC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/672-117-0x00000000058B0000-0x00000000058B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/672-118-0x00000000059C0000-0x0000000005EBE000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/672-119-0x0000000005890000-0x0000000005891000-memory.dmp
      Filesize

      4KB

      Download
    • memory/672-120-0x0000000008F60000-0x0000000008F61000-memory.dmp
      Filesize

      4KB

      Download
    • memory/672-121-0x0000000005C90000-0x0000000005C95000-memory.dmp
      Filesize

      20KB

      Download
    • memory/672-122-0x000000000A3C0000-0x000000000A478000-memory.dmp
      Filesize

      736KB

      Download
    • memory/672-123-0x000000000C860000-0x000000000C8C9000-memory.dmp
      Filesize

      420KB

      Download
    • memory/2068-124-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2068-125-0x000000000041ED50-mapping.dmp
      Download
    • memory/2068-127-0x00000000011D0000-0x00000000014F0000-memory.dmp
      Filesize

      3.1MB

      Download