Overview

overview

10

Static

static

fdebcac351...8c.exe

windows7_x64

10

fdebcac351...8c.exe

windows10_x64

10

Analysis

  • max time kernel
    110s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    28-10-2021 11:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fdebcac35105439faeecb9658e617a8c.exe

  • Size

    393KB

  • MD5

    fdebcac35105439faeecb9658e617a8c

  • SHA1

    2ab30ddc845cf8664fbc96f82263f89fca255cec

  • SHA256

    3f8d5d1f035d14a94abe8191fb35dd70961af3590ec61a0e90afdb322cd5e18b

  • SHA512

    3e6ce3997aed664225be3fc363e4343fc8af70f610ef0502001beb9cd679efa09af94e637556b971f4b929c819e2fb5fb8352a6e7c9c1372034084368a3af123

Score
10/10
formbookkzk9ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kzk9

C2

http://www.yourmajordomo.com/kzk9/

Decoy

tianconghuo.club

1996-page.com

ourtownmax.net

conservativetreehose.com

synth.repair

donnachicacreperia.com

tentfull.com

weapp.download

surfersink.com

gattlebusinessservices.com

sebastian249.com

anhphuc.company

betternatureproducts.net

defroplate.com

seattlesquidsquad.com

polarjob.com

lendingadvantage.com

angelsondope.com

goportjitney.com

tiendagrupojagr.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe
    "C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3780
    • C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe
      "C:\Users\Admin\AppData\Local\Temp\fdebcac35105439faeecb9658e617a8c.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/852-125-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/852-126-0x000000000041EB80-mapping.dmp
    Download
  • memory/852-127-0x0000000001760000-0x0000000001A80000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3780-116-0x0000000000670000-0x0000000000671000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-118-0x0000000005450000-0x0000000005451000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-119-0x0000000004FF0000-0x0000000004FF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-120-0x0000000004EE0000-0x0000000004EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-121-0x0000000004F50000-0x000000000544E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3780-122-0x0000000005180000-0x0000000005186000-memory.dmp
    Filesize

    24KB

    Download
  • memory/3780-123-0x0000000007650000-0x0000000007651000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3780-124-0x0000000007600000-0x000000000764F000-memory.dmp
    Filesize

    316KB

    Download