Overview

overview

10

Static

static

b60fb0b317...91.exe

windows7_x64

10

b60fb0b317...91.exe

windows10_x64

10

Analysis

  • max time kernel
    89s
  • max time network
    69s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 16:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b60fb0b3174ffd6ccf46d23e5dd4f291.exe

  • Size

    1.6MB

  • MD5

    b60fb0b3174ffd6ccf46d23e5dd4f291

  • SHA1

    fedb0bc2f7e46d58061b8742b5d5ad61b525ab4f

  • SHA256

    56d324b70dec3c259864216d918929470e10dc5582ae70f238aaad4887358d7b

  • SHA512

    e5f7997d6b8df79d5897b438261eef644264d04d09604c5a0de485bee42df5c9374450949fb30097f7ab4e50de152d950b65f7ca5e1eea1e5088d8288a079aa6

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.meilleurspromo.com/lmsa/

Decoy

functionalkitchen.net

jiangxichuangke.com

lonerkont.space

champcarfanatics.com

csillag-szuletik.info

jupitowatch.com

lmcomputer.net

alfawize.com

mouthconsults.com

gruppolarta.com

gaymyway.com

bostonpeach.com

bioclean.pro

thingsandotherstuff.com

gencmetals.com

cwivf.com

nbhgddfgggnhhmhln.com

myscoutinglife.com

ccubk.com

cheapfloatingrentals.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b60fb0b3174ffd6ccf46d23e5dd4f291.exe
    "C:\Users\Admin\AppData\Local\Temp\b60fb0b3174ffd6ccf46d23e5dd4f291.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:808
    • C:\Users\Admin\AppData\Local\Temp\b60fb0b3174ffd6ccf46d23e5dd4f291.exe
      "C:\Users\Admin\AppData\Local\Temp\b60fb0b3174ffd6ccf46d23e5dd4f291.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1448

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/808-114-0x00000000006E0000-0x00000000006E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-116-0x0000000005070000-0x0000000005071000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-117-0x0000000005610000-0x0000000005611000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-118-0x00000000051B0000-0x00000000051B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-119-0x0000000005130000-0x0000000005131000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-120-0x0000000005110000-0x000000000560E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/808-121-0x0000000005370000-0x0000000005371000-memory.dmp
    Filesize

    4KB

    Download
  • memory/808-122-0x0000000002AE0000-0x0000000002B0D000-memory.dmp
    Filesize

    180KB

    Download
  • memory/808-123-0x0000000006C10000-0x0000000006C85000-memory.dmp
    Filesize

    468KB

    Download
  • memory/808-124-0x00000000055D0000-0x0000000005600000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1448-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1448-126-0x000000000041EB00-mapping.dmp
    Download
  • memory/1448-127-0x0000000001660000-0x0000000001980000-memory.dmp
    Filesize

    3.1MB

    Download