Overview

overview

10

Static

static

6a0200a431...bc.exe

windows7_x64

10

6a0200a431...bc.exe

windows10_x64

10

Analysis

  • max time kernel
    86s
  • max time network
    20s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    21-07-2021 19:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    6a0200a4316e595561f8527e3bcf27bc.exe

  • Size

    925KB

  • MD5

    6a0200a4316e595561f8527e3bcf27bc

  • SHA1

    4c356c914ccdf83b8c89b6a02a2c4a9391094763

  • SHA256

    f8f02165547227a6692d503cf1203dcaf2d43b58219bb78cb0e42895f49a8121

  • SHA512

    af3decd9eaf59e31462fce7cdf36335814151c6c512aa0248d0877c7addbfeccdb530f01a11de1fc47b6d8f5bd1dc506175d9c0d4fd67376cd06da5e89b90470

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe
    "C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe
      "C:\Users\Admin\AppData\Local\Temp\6a0200a4316e595561f8527e3bcf27bc.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1608

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/980-59-0x0000000000840000-0x0000000000841000-memory.dmp

    Filesize

    4KB

    Download

  • memory/980-61-0x0000000004D60000-0x0000000004D61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/980-62-0x00000000003F0000-0x000000000040B000-memory.dmp

    Filesize

    108KB

    Download

  • memory/980-63-0x0000000005F60000-0x0000000005FD5000-memory.dmp

    Filesize

    468KB

    Download

  • memory/980-64-0x0000000004280000-0x00000000042B0000-memory.dmp

    Filesize

    192KB

    Download

  • memory/1608-65-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1608-66-0x000000000041EBD0-mapping.dmp

    Download

  • memory/1608-67-0x0000000000C00000-0x0000000000F03000-memory.dmp

    Filesize

    3.0MB

    Download