Overview

overview

10

Static

static

27ffb11dd7...8c.exe

windows7_x64

10

27ffb11dd7...8c.exe

windows10_x64

10

Analysis

  • max time kernel
    116s
  • max time network
    50s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    09-10-2021 07:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    27ffb11dd7fb0f497d6e43f07dc3678c.exe

  • Size

    638KB

  • MD5

    27ffb11dd7fb0f497d6e43f07dc3678c

  • SHA1

    ce5a7a2b9dddf5e3cdea4ac35eb698d1d7c556b1

  • SHA256

    46ce2096cf4b2b0a2dfa386e25baa17078c270a469ae6704e36611fb7c67f908

  • SHA512

    67f895848378672fcdaae89ad7cb230068aea043cf177397065167dffc750e4adbb75c87b1ac5fde8cc8c4cffb964fec7fe22492bc8422355faac44e4304df0a

Score
10/10
formbooked9sratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ed9s

C2

http://www.vaughnmethod.com/ed9s/

Decoy

pocketoptioniraq.com

merabestsolutions.com

atelectronics.site

fuxueshi.net

infinitystay.com

forensicconcept.site

txpmachine.com

masterwhs.xyz

dia-gnwsis.art

fulltiltnodes.com

bigbnbbsc.com

formation-figma.com

bonanacroin.net

medicalmarijuanasatx.com

bagnavy.com

aaegiscares.net

presentationpublicschool.com

bestyousite.site

prescriptionn.com

beyondthenormbouquets.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\27ffb11dd7fb0f497d6e43f07dc3678c.exe
    "C:\Users\Admin\AppData\Local\Temp\27ffb11dd7fb0f497d6e43f07dc3678c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1988
    • C:\Users\Admin\AppData\Local\Temp\27ffb11dd7fb0f497d6e43f07dc3678c.exe
      "C:\Users\Admin\AppData\Local\Temp\27ffb11dd7fb0f497d6e43f07dc3678c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1300

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1300-67-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1300-68-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1300-70-0x000000000041F160-mapping.dmp
    Download
  • memory/1300-69-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1300-71-0x0000000000850000-0x0000000000B53000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1988-60-0x00000000010E0000-0x00000000010E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-62-0x0000000075AD1000-0x0000000075AD3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1988-63-0x00000000010A0000-0x00000000010A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1988-64-0x0000000000390000-0x0000000000396000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1988-65-0x0000000005D90000-0x0000000005DF2000-memory.dmp
    Filesize

    392KB

    Download
  • memory/1988-66-0x0000000000740000-0x0000000000772000-memory.dmp
    Filesize

    200KB

    Download