Overview

overview

10

Static

static

5678413766...de.exe

windows7_x64

10

5678413766...de.exe

windows10_x64

10

Analysis

  • max time kernel
    64s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    27-07-2021 16:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    56784137661c7e02c6c0e36b8fd217de.exe

  • Size

    650KB

  • MD5

    56784137661c7e02c6c0e36b8fd217de

  • SHA1

    5b5d6c51607a99af40889379e369f8ecb98f95b8

  • SHA256

    7d65154a5dc05da45ebfe7b8a5bdb4858bf80812060257a5bde5d90ab12b23a6

  • SHA512

    fbf7c67d3598b7e62ee9eb77cb6e190672fdd9e635f07752c46e7e815083a90a5927e9e0a5c22eac66f836916cdb2724ddc03b9fec3c402b5b073c225f0f026e

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.surreal-myzrael.com/z7a/

Decoy

dotstories.xyz

egd-dz.com

caringhealthrecruit.com

transportdupont.com

teh-support.pro

catfad.com

pinewoodlakepool.net

pendekar-qq.info

duplicuty-garden.com

librtshop.com

stepmed.life

seatplusplus.com

bluzelle.money

weflew.xyz

bolaci.com

arrebatamentonews.com

sukesanblog.com

shadow-campaign.com

anpfiff.net

taste-of-poland.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\56784137661c7e02c6c0e36b8fd217de.exe
    "C:\Users\Admin\AppData\Local\Temp\56784137661c7e02c6c0e36b8fd217de.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\56784137661c7e02c6c0e36b8fd217de.exe
      "C:\Users\Admin\AppData\Local\Temp\56784137661c7e02c6c0e36b8fd217de.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1104

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1104-67-0x000000000041EB30-mapping.dmp
    Download
  • memory/1104-66-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1104-68-0x0000000000770000-0x0000000000A73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1936-60-0x0000000001270000-0x0000000001271000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1936-62-0x0000000000580000-0x0000000000581000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1936-63-0x0000000000290000-0x000000000029B000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1936-64-0x00000000051F0000-0x000000000526A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/1936-65-0x00000000005D0000-0x0000000000605000-memory.dmp
    Filesize

    212KB

    Download