Overview

overview

10

Static

static

ee8cc08d22...ed.exe

windows7_x64

10

ee8cc08d22...ed.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    134s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    01-11-2021 09:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee8cc08d22bc6541b19e4b435b341ced.exe

  • Size

    559KB

  • MD5

    ee8cc08d22bc6541b19e4b435b341ced

  • SHA1

    14eef8604298dd707b6b6d40c428b176359ea686

  • SHA256

    fcd3b620d09a3268b7d58c23a46aaa8446c13e045ad99cf5c71eb2d811f3a61f

  • SHA512

    7a4ca5e3fc02cd3fc2ce1ec487d00408794fed6f5def10171e6e094ba95637c0594fc1899ab73122776b58b6dad2898b68cc5224a39a2cf67c70313fe5c89b4d

Score
10/10
formbookjy0bratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee8cc08d22bc6541b19e4b435b341ced.exe
    "C:\Users\Admin\AppData\Local\Temp\ee8cc08d22bc6541b19e4b435b341ced.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3812
    • C:\Users\Admin\AppData\Local\Temp\ee8cc08d22bc6541b19e4b435b341ced.exe
      "C:\Users\Admin\AppData\Local\Temp\ee8cc08d22bc6541b19e4b435b341ced.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1904

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1904-124-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1904-125-0x000000000041F150-mapping.dmp
    Download
  • memory/1904-126-0x00000000019B0000-0x0000000001CD0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/3812-115-0x00000000009A0000-0x00000000009A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-117-0x0000000005840000-0x0000000005841000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-118-0x00000000053E0000-0x00000000053E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-119-0x0000000005340000-0x000000000583E000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/3812-120-0x00000000053D0000-0x00000000053D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-121-0x0000000005730000-0x0000000005737000-memory.dmp
    Filesize

    28KB

    Download
  • memory/3812-122-0x0000000008C80000-0x0000000008C81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3812-123-0x0000000008E20000-0x0000000008E72000-memory.dmp
    Filesize

    328KB

    Download