Overview

overview

10

Static

static

1

0b50a75467...60.exe

windows7_x64

10

0b50a75467...60.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    10-12-2021 13:39

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0b50a75467d375b948edc7bcb6f01b60.exe

  • Size

    273KB

  • MD5

    0b50a75467d375b948edc7bcb6f01b60

  • SHA1

    d9d70c204806b74acf34e95e44f5528031e777a6

  • SHA256

    b13782a081582cd40a427da82c93035d3a59cd7dffea1e9b3f3821c55fde233c

  • SHA512

    267933362fd75201a23c33b075045f564871fe9a8ee3681a515ae1e5abb29686015274919a0db92a33b78d0cc0566bfffde47cd1906834ea912dc298cdc5c7ad

Score
10/10
formbooknk6lratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nk6l

C2

http://www.rthearts.com/nk6l/

Decoy

cbnextra.com

entitysystemsinc.com

55midwoodave.com

ebelizzi.com

khojcity.com

1527brokenoakdrive.site

housinghproperties.com

ratiousa.com

lrcrepresentacoes.net

tocoec.net

khadamatdemnate.com

davidkastner.xyz

gardeniaresort.com

qiantangguoji.com

visaprepaidprocessinq.com

cristinamadara.com

semapisus.xyz

mpwebagency.net

alibabasdeli.com

gigasupplies.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0b50a75467d375b948edc7bcb6f01b60.exe
    "C:\Users\Admin\AppData\Local\Temp\0b50a75467d375b948edc7bcb6f01b60.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\0b50a75467d375b948edc7bcb6f01b60.exe
      "C:\Users\Admin\AppData\Local\Temp\0b50a75467d375b948edc7bcb6f01b60.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1148

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1148-57-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/1148-59-0x0000000000900000-0x0000000000C03000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1632-55-0x0000000076141000-0x0000000076143000-memory.dmp

    Filesize

    8KB

    Download