Overview

overview

10

Static

static

f0f4b5aa61...79.exe

windows7_x64

10

f0f4b5aa61...79.exe

windows10_x64

10

Analysis

  • max time kernel
    75s
  • max time network
    136s
  • platform
    windows10_x64
  • resource
    win10-en
  • submitted
    14-09-2021 20:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0f4b5aa6183bbc5265f26e47aaeb579.exe

  • Size

    500KB

  • MD5

    f0f4b5aa6183bbc5265f26e47aaeb579

  • SHA1

    81f06990ec9c83d755d5023f95af114d92e68d45

  • SHA256

    f8d239a08e27c28f5a5dea56ab895274476ae7360d5d456d89b58d33a392d49c

  • SHA512

    3bc8bb2ac4dc15c484aac016b5c09ff55c45f7db2127a10ba5621711d66dc6287ad109906a1707dcbf0f6c8ba0078b8f6b4603e4a6365726ef419aabe7cf02e6

Score
10/10
formbookm8g0ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m8g0

C2

http://www.corbvalperu.com/m8g0/

Decoy

exclusivecan.com

junzhesuji.com

acces-credit-mutuel.com

iknitvintage.com

solonmodelun.com

debekia.com

peanutskitchen.com

kamanantzin.com

personalmodeststyle.com

qo49.com

googman.site

maisonshahnaz.com

annaalexandrovich.com

californiacashcars.com

ncafashionboutique.com

nsu0.com

cloudfirstlender.com

allforchildren.net

vn80000.com

restroon.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0f4b5aa6183bbc5265f26e47aaeb579.exe
    "C:\Users\Admin\AppData\Local\Temp\f0f4b5aa6183bbc5265f26e47aaeb579.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4008
    • C:\Users\Admin\AppData\Local\Temp\f0f4b5aa6183bbc5265f26e47aaeb579.exe
      "C:\Users\Admin\AppData\Local\Temp\f0f4b5aa6183bbc5265f26e47aaeb579.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4024

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4008-115-0x0000000000200000-0x0000000000201000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-117-0x0000000005090000-0x0000000005091000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-118-0x0000000004B90000-0x0000000004B91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-119-0x0000000005590000-0x0000000005591000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-120-0x0000000004D70000-0x0000000004D71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-121-0x0000000004B90000-0x000000000508E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4008-122-0x0000000008520000-0x0000000008521000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4008-123-0x0000000005070000-0x0000000005077000-memory.dmp
    Filesize

    28KB

    Download
  • memory/4008-124-0x0000000008A50000-0x0000000008AB9000-memory.dmp
    Filesize

    420KB

    Download
  • memory/4008-125-0x000000000B250000-0x000000000B283000-memory.dmp
    Filesize

    204KB

    Download
  • memory/4024-126-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/4024-127-0x000000000041EB70-mapping.dmp
    Download
  • memory/4024-128-0x00000000011E0000-0x0000000001500000-memory.dmp
    Filesize

    3.1MB

    Download