Overview

overview

10

Static

static

bd5c3ee098...e1.exe

windows7_x64

10

bd5c3ee098...e1.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-en-20211014
  • submitted
    16-11-2021 09:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bd5c3ee098497398ee0f1a08b37923e1.exe

  • Size

    862KB

  • MD5

    bd5c3ee098497398ee0f1a08b37923e1

  • SHA1

    74f7aa308918769af8cc88c16f59f9a5edfc6704

  • SHA256

    c8b86f436d0bdc91763e23126a5ea0da8504ce66196eb73dc3dde8f955af1ea9

  • SHA512

    6e35ce1d7de10618ff748be80fe897d4fe6fb9a61237b7ad8b98919d51384ba4ccbfa5eff4a78ecc9dc0e8d22dc1a5fabfb42befa6988fa7e0ea626b7d108898

Score
10/10
formbookjy0bratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\bd5c3ee098497398ee0f1a08b37923e1.exe
    "C:\Users\Admin\AppData\Local\Temp\bd5c3ee098497398ee0f1a08b37923e1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Users\Admin\AppData\Local\Temp\bd5c3ee098497398ee0f1a08b37923e1.exe
      "C:\Users\Admin\AppData\Local\Temp\bd5c3ee098497398ee0f1a08b37923e1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1312

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1148-55-0x0000000001100000-0x0000000001101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-57-0x00000000762D1000-0x00000000762D3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1148-58-0x0000000000FB0000-0x0000000000FB1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1148-59-0x00000000005C0000-0x00000000005C7000-memory.dmp
    Filesize

    28KB

    Download
  • memory/1148-60-0x00000000010B0000-0x00000000010FC000-memory.dmp
    Filesize

    304KB

    Download
  • memory/1312-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1312-62-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1312-64-0x000000000041F150-mapping.dmp
    Download
  • memory/1312-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1312-65-0x0000000000930000-0x0000000000C33000-memory.dmp
    Filesize

    3.0MB

    Download