Overview

overview

10

Static

static

ed43ff447c...07.exe

windows7_x64

10

ed43ff447c...07.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    126s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    22-07-2021 08:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ed43ff447cd5486610731a627a930607.exe

  • Size

    1.1MB

  • MD5

    ed43ff447cd5486610731a627a930607

  • SHA1

    91449c85fb2fa5d27f8db3c8c08cdfb9d3287162

  • SHA256

    91cdb947644a5a802adac7583a79e7e560da38839489a02e7464730ff66fd004

  • SHA512

    3bd5692c8b81221a2b1e83b17b36872fc664935ed14d6d645dd0efa6e2725c0c95598e4871b358092fbb406e8eb4600face90aa1b98fe5720fd4629ff2903a1d

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe
    "C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3980
    • C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe
      "C:\Users\Admin\AppData\Local\Temp\ed43ff447cd5486610731a627a930607.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1980

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1980-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1980-127-0x0000000001890000-0x0000000001BB0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1980-126-0x000000000041EBD0-mapping.dmp
    Download
  • memory/3980-121-0x0000000005180000-0x000000000521C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/3980-119-0x00000000051F0000-0x00000000051F1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3980-120-0x0000000005540000-0x0000000005541000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3980-114-0x00000000008D0000-0x00000000008D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3980-122-0x0000000006EB0000-0x0000000006ECB000-memory.dmp
    Filesize

    108KB

    Download
  • memory/3980-123-0x0000000008B90000-0x0000000008C09000-memory.dmp
    Filesize

    484KB

    Download
  • memory/3980-124-0x0000000008C10000-0x0000000008C45000-memory.dmp
    Filesize

    212KB

    Download
  • memory/3980-118-0x00000000053E0000-0x00000000053E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3980-117-0x0000000005840000-0x0000000005841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3980-116-0x0000000005220000-0x0000000005221000-memory.dmp
    Filesize

    4KB

    Download