Overview

overview

10

Static

static

ed43ff447c...07.exe

windows7_x64

10

ed43ff447c...07.exe

windows10_x64

10

Analysis

  • max time kernel
    61s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed43ff447cd5486610731a627a930607.exe

  • Size

    1.1MB

  • MD5

    ed43ff447cd5486610731a627a930607

  • SHA1

    91449c85fb2fa5d27f8db3c8c08cdfb9d3287162

  • SHA256

    91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004

  • SHA512

    3bd5692c8b81221a2b1e83b17b36872fc664935ed14d6d645dd0efa6e2725c0c95598e4871b358092fbb406e8eb4600face90aa1b98fe5720fd4629ff2903a1d

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe
    "C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1816
    • C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe
      "C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:548

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/548-67-0x000000000041EBD0-mapping.dmp
    Download
  • memory/548-66-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/548-68-0x0000000000B80000-0x0000000000E83000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1816-60-0x00000000008D0000-0x00000000008D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1816-62-0x0000000004D90000-0x0000000004D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1816-63-0x00000000003C0000-0x00000000003DB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/1816-64-0x0000000005F30000-0x0000000005FA9000-memory.dmp
    Filesize

    484KB

    Download
  • memory/1816-65-0x0000000000880000-0x00000000008B5000-memory.dmp
    Filesize

    212KB

    Download