Overview

overview

10

Static

static

3ecdafd3c1...b8.exe

windows7_x64

10

3ecdafd3c1...b8.exe

windows10_x64

10

Analysis

  • max time kernel
    93s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    06-07-2021 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ecdafd3c19efbfc4f06d5d2aefd02b8.exe

  • Size

    888KB

  • MD5

    3ecdafd3c19efbfc4f06d5d2aefd02b8

  • SHA1

    808ab748f5fee7b4f5b802a89b1e3ac44e47fdd1

  • SHA256

    f198ab80b865300fc6721e506292ddbe21d18004daec3f567c53fd9e2d86dc7f

  • SHA512

    99098adfaa9358d10ccd47b63631b0369fb8bdd4a95714c2611d2668e9aba20c3671bb42af59ec773470e1297f13d28ccf09d8280a3b2e1cdb9dbce920526523

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hai96.com/lvno/

Decoy

pennilanecompany.com

doshjpft.icu

avolveathlete.com

infinixinfo.com

boforpresident.com

tepeyaccafe.com

psontour.com

bootyandbeauty.com

saisdgiveaway.com

pokebrostogo.com

pizzafromsky.com

cobroking.site

greisslerbox.com

twittletweet.com

xwbcm817.xyz

100hougong.com

fdn2018.com

bestrankedstuff.com

astralmotivations.com

gottagowalkies.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
    "C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4444
    • C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe
      "C:\Users\Admin\AppData\Local\Temp\3ecdafd3c19efbfc4f06d5d2aefd02b8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4132-126-0x000000000041EB20-mapping.dmp
    Download
  • memory/4132-128-0x0000000000F20000-0x0000000001240000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/4132-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4444-121-0x00000000059A0000-0x00000000059A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4444-119-0x0000000005840000-0x0000000005D3E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4444-120-0x00000000031D0000-0x00000000031D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4444-114-0x0000000000D40000-0x0000000000D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4444-122-0x0000000005B10000-0x0000000005B1F000-memory.dmp
    Filesize

    60KB

    Download
  • memory/4444-123-0x0000000008C10000-0x0000000008C8C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/4444-124-0x000000000B240000-0x000000000B281000-memory.dmp
    Filesize

    260KB

    Download
  • memory/4444-118-0x0000000005780000-0x0000000005781000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4444-117-0x0000000005D40000-0x0000000005D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4444-116-0x0000000005640000-0x0000000005641000-memory.dmp
    Filesize

    4KB

    Download