Overview

overview

10

Static

static

0282fb6d34...af.exe

windows7_x64

10

0282fb6d34...af.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    112s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    06-05-2021 07:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0282fb6d3422cdebf88ba2d9ce0831af.exe

  • Size

    751KB

  • MD5

    0282fb6d3422cdebf88ba2d9ce0831af

  • SHA1

    f0c80f1d6ace27df947df38aae7b11ed4b6d7144

  • SHA256

    4fb3bfa3afd4fd027aff55a6cbbc8c3d92fb5dd84bca9d88ff893928a41b9a0a

  • SHA512

    ab8df1a2b5feb03c0df351a215d6e9bb16c3b92853aab0fe7c96308fa94e1eefc362a23cff5e61da2a3e93f28e44a9954b23e363ff6dbc72ac90da95c5f8e6de

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.projectx-dev.net/hci/

Decoy

0357shop.com

cinargenerator.com

freshwes.com

dance-pods.com

cptinsano.com

animaltales1.com

ridernationusa.com

christophergagnon.com

bzjp.icu

culturefap.com

illustrationtees.com

handwritingwork.com

thebullrunranch.com

wujingli.com

wifihouten.online

okavagegroup.com

makaladiggsfitness.com

ruvapy.com

customergirl.com

guangzhoushujukuzxtftf.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0282fb6d3422cdebf88ba2d9ce0831af.exe
    "C:\Users\Admin\AppData\Local\Temp\0282fb6d3422cdebf88ba2d9ce0831af.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:604
    • C:\Users\Admin\AppData\Local\Temp\0282fb6d3422cdebf88ba2d9ce0831af.exe
      "C:\Users\Admin\AppData\Local\Temp\0282fb6d3422cdebf88ba2d9ce0831af.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:528

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/528-123-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/528-124-0x000000000041EB90-mapping.dmp
    Download
  • memory/528-126-0x0000000000FC0000-0x00000000012E0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/604-114-0x0000000000660000-0x0000000000661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/604-116-0x00000000050A0000-0x00000000050A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/604-117-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/604-118-0x00000000052E0000-0x00000000052E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/604-119-0x00000000050C0000-0x00000000050CE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/604-120-0x0000000005B00000-0x0000000005B01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/604-121-0x0000000001050000-0x0000000001103000-memory.dmp
    Filesize

    716KB

    Download
  • memory/604-122-0x0000000000D70000-0x0000000000DDD000-memory.dmp
    Filesize

    436KB

    Download