Analysis
-
max time kernel
132s -
max time network
151s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
26-01-2022 15:35
Static task
static1
Behavioral task
behavioral1
Sample
fd4fde74267b1f08dc0588a66481f230.exe
Resource
win7-en-20211208
General
-
Target
fd4fde74267b1f08dc0588a66481f230.exe
-
Size
841KB
-
MD5
fd4fde74267b1f08dc0588a66481f230
-
SHA1
f029ca51857e6fe326e6a6a573afadf9bdfcee9f
-
SHA256
c6e101b1f3ef37505f4cae99303735cdbc09b0ef4f33f1d3f27742722e8276b4
-
SHA512
0e1b6335a3e69f7009e1445fe28c398e47fa94e6151a5c1d475bc488b41a2feafc940010bb91cab098cdf9b4a755c09f7ca9294cd406dae9c971d65eac5ba8a3
Malware Config
Extracted
formbook
4.1
bt33
mbaonlinefreedegress.info
myforevermaid.com
daoyi365.com
weientm.com
legal-mx.com
formationrigging.com
heidiet.xyz
school-prosto.store
healthvitaminnutrition.com
digitalsolutionusa.com
little-bazar.com
jnbeautycanada.com
optoelek.com
learntoairmail.com
hawkminer.com
kingofearth.love
ktnstay.xyz
zouxin.love
mainlandpr.com
mamm-hummel.com
planosdwgcad.com
dlscordapp.info
northfacecore.online
professionalswhotrade.com
vbcgrp.com
spares245.com
alphasignsatl.online
342731.com
amazingarizonaproperty.com
priorlakecarpetcleaning.com
boardwalksnj.com
shiinebydesign.com
dymends.digital
indie-shopper.com
weihiw.quest
dchehe.com
momshousegeorgia.com
bnvxnohpcuhxbcueuvl.biz
tinyspout.com
hambransupply.com
keywordjord.com
koebnertriangle.com
aodiskoo.com
zgqyjlhw.com
thule-usa.store
western-overseas.online
woofpack-adventures.com
tilallarehome.com
51easyprint.com
arucad.university
llanoseeds.com
3-v0.space
harsors.com
sumiyoshiku-tenisuhiji.xyz
alsafqah.com
wrxworld.net
evrefill.com
multicoopltda.com
ziggytherealtor.com
candidatbellomansour.info
bigpromo.club
evagrombook.com
lyni7lyo.xyz
ways.express
karasevda-jor.com
Signatures
-
Formbook Payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3636-123-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
Processes:
fd4fde74267b1f08dc0588a66481f230.exedescription pid process target process PID 2736 set thread context of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
fd4fde74267b1f08dc0588a66481f230.exepid process 3636 fd4fde74267b1f08dc0588a66481f230.exe 3636 fd4fde74267b1f08dc0588a66481f230.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
fd4fde74267b1f08dc0588a66481f230.exedescription pid process target process PID 2736 wrote to memory of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe PID 2736 wrote to memory of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe PID 2736 wrote to memory of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe PID 2736 wrote to memory of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe PID 2736 wrote to memory of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe PID 2736 wrote to memory of 3636 2736 fd4fde74267b1f08dc0588a66481f230.exe fd4fde74267b1f08dc0588a66481f230.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fd4fde74267b1f08dc0588a66481f230.exe"C:\Users\Admin\AppData\Local\Temp\fd4fde74267b1f08dc0588a66481f230.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\fd4fde74267b1f08dc0588a66481f230.exe"C:\Users\Admin\AppData\Local\Temp\fd4fde74267b1f08dc0588a66481f230.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2736-115-0x0000000000B50000-0x0000000000C2A000-memory.dmpFilesize
872KB
-
memory/2736-116-0x0000000005890000-0x0000000005D8E000-memory.dmpFilesize
5.0MB
-
memory/2736-117-0x0000000005470000-0x0000000005502000-memory.dmpFilesize
584KB
-
memory/2736-118-0x0000000005390000-0x000000000588E000-memory.dmpFilesize
5.0MB
-
memory/2736-119-0x00000000055D0000-0x00000000055DA000-memory.dmpFilesize
40KB
-
memory/2736-120-0x0000000005860000-0x000000000586C000-memory.dmpFilesize
48KB
-
memory/2736-121-0x0000000007DB0000-0x0000000007E4C000-memory.dmpFilesize
624KB
-
memory/2736-122-0x0000000007E50000-0x0000000007EBA000-memory.dmpFilesize
424KB
-
memory/3636-123-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/3636-124-0x00000000016F0000-0x0000000001A10000-memory.dmpFilesize
3.1MB