Overview

overview

10

Static

static

SecuriteIn...29.exe

windows7_x64

10

SecuriteIn...29.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    172s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    28-07-2021 12:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe

  • Size

    658KB

  • MD5

    7fe8c41bb1d7824a3d85eccb9dd59a14

  • SHA1

    c91f48bf0b3a56b4b8a8179a7d24aaeaa73d5765

  • SHA256

    eac598331e98c72219bd9f7fbc5754288aaa0236cd27d09bce81a182503ac7ea

  • SHA512

    fcb66c54fc6b9c2bba0d20f11f22d1ee9b0b3894801e67607b2cc781637c348e06ef83d2a9752727d9df58312eef70e2dedcded4eea006573d332620f3862de9

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.santanabeautycares.com/gmtr/

Decoy

kocnetelgroup.com

william-and-alexandra.com

overseasdata.com

the-wild-wild-east.com

analistaweb.net

hybridkarts.com

secure-apple-ld.com

semjasessprx.com

ahaa.store

9maskgame.online

bellydancer-cicycai.com

qy35tc.com

immopix.net

catarinayamamoto.com

binvestcrm.com

mycsource.com

cookedonpropane.net

melmorg.com

mattkalita.com

animalkitchen.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1032
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.PackedNET.953.13414.21329.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1036

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1032-60-0x0000000000DB0000-0x0000000000DB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-62-0x0000000000BC0000-0x0000000000BC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1032-63-0x00000000003D0000-0x00000000003DB000-memory.dmp
    Filesize

    44KB

    Download
  • memory/1032-64-0x0000000005050000-0x00000000050C5000-memory.dmp
    Filesize

    468KB

    Download
  • memory/1032-65-0x0000000000B80000-0x0000000000BB0000-memory.dmp
    Filesize

    192KB

    Download
  • memory/1036-67-0x000000000041EBE0-mapping.dmp
    Download
  • memory/1036-66-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1036-68-0x0000000000970000-0x0000000000C73000-memory.dmp
    Filesize

    3.0MB

    Download