Overview

overview

10

Static

static

1

cedc7056c4...18.exe

windows7_x64

10

cedc7056c4...18.exe

windows10_x64

10

Analysis

  • max time kernel
    104s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10-en-20211104
  • submitted
    18-11-2021 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    cedc7056c435a629f10a443b40d6a818.exe

  • Size

    335KB

  • MD5

    cedc7056c435a629f10a443b40d6a818

  • SHA1

    508cf8b71f106c43997358508df7661e7c074776

  • SHA256

    0e2e801a0cc0e4257442d1243a17ae2ec7e7057cdb4a41a899d9aec7eb77cfbb

  • SHA512

    6552c1c22d4d44a86c8898a189abdd0975d7a7e4106ff4bf604f0a716071464595994b3cba4273e3fe7c496b7109993eced616caf566d633798afa02366ba07e

Score
10/10
formbookjy0bratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jy0b

C2

http://www.filecrev.com/jy0b/

Decoy

lamejorimagen.com

mykabukibrush.com

modgon.com

barefoottherapeutics.com

shimpeg.net

trade-sniper.com

chiangkhancityhotel.com

joblessmoni.club

stespritsubways.com

chico-group.com

nni8.xyz

searchtypically.online

jobsyork.com

bestsales-crypto.com

iqmarketing.info

bullcityphotobooths.com

fwssc.icu

1oc87s.icu

usdiesel.xyz

secrets2optimumnutrition.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\cedc7056c435a629f10a443b40d6a818.exe
    "C:\Users\Admin\AppData\Local\Temp\cedc7056c435a629f10a443b40d6a818.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3452
    • C:\Users\Admin\AppData\Local\Temp\cedc7056c435a629f10a443b40d6a818.exe
      "C:\Users\Admin\AppData\Local\Temp\cedc7056c435a629f10a443b40d6a818.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3308

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsoCC4B.tmp\ftbtjrox.dll
    MD5

    9a46adb3491e5a39fd31dee94647cabf

    SHA1

    c54d21a0afa947c16f112d3f5f4df66de37dfd25

    SHA256

    bc2323a8dbf4bbe8bf23261359fe3fdb786d78fd0da538e8541ad35edb3dbdbf

    SHA512

    b2034699dcaacd8ae9283d1e28f8ba2165412b7d0c1a8af94ae72637a5c7c3363f74fc8dfa6256ec592eb62ac362a1aa3a143f444b9d3bf62a1b162edf3e953a

    Download Submit
  • memory/3308-119-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3308-120-0x000000000041F150-mapping.dmp
    Download
  • memory/3308-121-0x00000000009D0000-0x0000000000CF0000-memory.dmp
    Filesize

    3.1MB

    Download