Overview

overview

10

Static

static

9ea8f0cefa...d6.exe

windows7_x64

10

9ea8f0cefa...d6.exe

windows10_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    15-07-2021 09:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9ea8f0cefae38838925df14a6f2a29d6.exe

  • Size

    917KB

  • MD5

    9ea8f0cefae38838925df14a6f2a29d6

  • SHA1

    39e17f53087911a9d716f7e1d4c93789995de4de

  • SHA256

    7d46e9015525b4cc3c23cd864847208ec36bad8ddfadb56b672d8c0acbfeae6a

  • SHA512

    e5fb01e53387ae415ff66b091ef6687ae0319d0abb117028c4123e2187488a8252ebeafbc96f5ff135498b10fa622399a4f37bda963cd884a3e517ffe32b7815

Score
10/10
formbookagilenetratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.survivai.com/bsdd/

Decoy

533dh.com

galerisikayet.xyz

tipsyalligator.com

crystalwellnessstudio.com

moovaap.com

lelfie.network

speedy-trips.com

prospectsolucoes.com

24x7customersservice.com

szbinsen.com

shikhardeals.com

totaldenta.com

ayksjx.com

avxrja.online

24kyule888.com

ufaw.net

spinozone.com

castvoicesmsreg.com

lajollawoodworks.com

renetyson.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Obfuscated with Agile.Net obfuscator 1 IoCs

    Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

    agilenet
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe
    "C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3948
    • C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe
      "C:\Users\Admin\AppData\Local\Temp\9ea8f0cefae38838925df14a6f2a29d6.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1096

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1096-128-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1096-130-0x0000000001A00000-0x0000000001D20000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1096-129-0x000000000041EB30-mapping.dmp
    Download
  • memory/3948-122-0x0000000005CE0000-0x0000000005D01000-memory.dmp
    Filesize

    132KB

    Download
  • memory/3948-119-0x0000000005C40000-0x0000000005C41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-120-0x0000000005D10000-0x0000000005D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-114-0x0000000000900000-0x0000000000901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-123-0x0000000006BE0000-0x0000000006BE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-124-0x0000000006BA0000-0x0000000006BA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-125-0x0000000005D11000-0x0000000005D12000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-126-0x0000000006DF0000-0x0000000006DFB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/3948-127-0x0000000006E00000-0x0000000006E01000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-118-0x00000000052E0000-0x00000000052E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-117-0x0000000005240000-0x0000000005241000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3948-116-0x00000000056A0000-0x00000000056A1000-memory.dmp
    Filesize

    4KB

    Download