Overview

overview

10

Static

static

1

c0ff9a8d77...a5.exe

windows7_x64

10

c0ff9a8d77...a5.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    18-10-2021 13:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe

  • Size

    250KB

  • MD5

    7e5a66d60785aa472414f3d9c7cfa399

  • SHA1

    c0ff9a8d774456c0cc9fab103ea9beb61612b4a5

  • SHA256

    be576dcff77ebe92995348e2713ebef67c7503ef908f85e8227746942d2985eb

  • SHA512

    acbba3933dd9aa44c9de9d9ad23b734c0209c75d884442a3896720764584d4d1277c2c2fe605d61509fa0edfef10e7db3593e4e0f199e77dea7a639409f0b46c

Score
10/10
formbookmg0tratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mg0t

C2

http://www.q0yczwyc.asia/mg0t/

Decoy

3949842.com

webxdigital.net

dirums.online

metawiser.com

takefreepass.com

colphata.com

searchwebsafety.online

unrule.net

merch.ventures

tooreake.xyz

leonelaperu.com

qiangcai.xyz

cocco24.com

lovinganime.com

mbfad.com

historytodaygameshow.com

gadgetwellprotected.com

nutritoken-diet.com

liberty-lilies.com

singleofficial.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe
    "C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1764
    • C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe
      "C:\Users\Admin\AppData\Local\Temp\c0ff9a8d774456c0cc9fab103ea9beb61612b4a5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1748

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsyBEED.tmp\hsvqxok.dll
    MD5

    4c22d1a579521d4b0a54a8f7312f2aaf

    SHA1

    7ec8bd3ec72cc18f8bf8cee3dec412d19cecdee8

    SHA256

    256a1683f4beda383ed994405a4738a7959272e24c546684adbd80c9fb1ec376

    SHA512

    5f51abb7c2217ae947042d9c0dfafd87223563377301906810a8143c35fadcd72219053a49facbbd7e1f5b18c7ece56b5d40cc40faa70faf4ab2c90b560ebe39

    Download Submit
  • memory/1748-56-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1748-57-0x000000000041F0D0-mapping.dmp
    Download
  • memory/1748-58-0x00000000008C0000-0x0000000000BC3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1764-54-0x0000000075B71000-0x0000000075B73000-memory.dmp
    Filesize

    8KB

    Download