Overview

overview

10

Static

static

83cc8405d6...00.exe

windows7_x64

10

83cc8405d6...00.exe

windows10_x64

10

Analysis

  • max time kernel
    52s
  • max time network
    41s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    19-08-2021 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    83cc8405d694c0e1b3d7211202265f00.exe

  • Size

    1010KB

  • MD5

    83cc8405d694c0e1b3d7211202265f00

  • SHA1

    5195443ab0c20c2b192aa18e911a002363069c64

  • SHA256

    e2c11a82ce76ab32b7033c6d47081c6c44fe2288211fe0af6202f3333196cbe6

  • SHA512

    bae273059ca86bbd6b078a658c1002b6d148a9dd69d75fc5ad9472240c6b3fbf824a229f7184bfca1e5867a264db37b60c1ad25792747d1561f38764eb74138e

Score
10/10
formbooknffratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

C2

http://www.yellow-wink.com/nff/

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\83cc8405d694c0e1b3d7211202265f00.exe
    "C:\Users\Admin\AppData\Local\Temp\83cc8405d694c0e1b3d7211202265f00.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Users\Admin\AppData\Local\Temp\83cc8405d694c0e1b3d7211202265f00.exe
      "C:\Users\Admin\AppData\Local\Temp\83cc8405d694c0e1b3d7211202265f00.exe"
      2⤵
        PID:1748
      • C:\Users\Admin\AppData\Local\Temp\83cc8405d694c0e1b3d7211202265f00.exe
        "C:\Users\Admin\AppData\Local\Temp\83cc8405d694c0e1b3d7211202265f00.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:900

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/900-66-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/900-67-0x000000000041EAF0-mapping.dmp
      Download
    • memory/900-68-0x0000000000AB0000-0x0000000000DB3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/2008-60-0x0000000000260000-0x0000000000261000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2008-62-0x00000000048A0000-0x00000000048A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2008-63-0x0000000000610000-0x0000000000621000-memory.dmp
      Filesize

      68KB

      Download
    • memory/2008-64-0x0000000005C20000-0x0000000005CD0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/2008-65-0x0000000004180000-0x00000000041C3000-memory.dmp
      Filesize

      268KB

      Download