Overview

overview

10

Static

static

a506ca65b7...06.exe

windows7_x64

a506ca65b7...06.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    159s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    31-01-2022 05:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a506ca65b78a0c3475f855f463c0ce06.exe

  • Size

    534KB

  • MD5

    a506ca65b78a0c3475f855f463c0ce06

  • SHA1

    a28f9be767b628af5954de4c0218d7c75e1bfe16

  • SHA256

    d0eabfe28f6b77c25d883ad3e380620f1367082cc58f309e4d24dd1d2c3548c8

  • SHA512

    b2e6f535adaf821552f73fd6391dfb419359b8d9379ba1cf8a2a832b120bd570c8402f50906d3399a9a04205157b2780cc0e180470e4b53d2f9a04d9c7ae6058

Score
10/10
formbookcw22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cw22

Decoy

betvoy206.com

nftstoners.com

tirupatibuilder.com

gulldesigns.com

shemhq.com

boricosmetic.com

bitcoinbillionaireboy.com

theflypaperplanes.com

retrocartours.com

yangzhie326.com

cheepchain.com

sentryr.com

luckirentalhomes.com

pointssquashers.com

dianasarabiantreasures.com

calendarsilo.com

sublike21.xyz

gajubg0up.xyz

lousfoodreviews.com

fades.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\a506ca65b78a0c3475f855f463c0ce06.exe
    "C:\Users\Admin\AppData\Local\Temp\a506ca65b78a0c3475f855f463c0ce06.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Users\Admin\AppData\Local\Temp\a506ca65b78a0c3475f855f463c0ce06.exe
      "C:\Users\Admin\AppData\Local\Temp\a506ca65b78a0c3475f855f463c0ce06.exe"
      2⤵
        PID:3996
      • C:\Users\Admin\AppData\Local\Temp\a506ca65b78a0c3475f855f463c0ce06.exe
        "C:\Users\Admin\AppData\Local\Temp\a506ca65b78a0c3475f855f463c0ce06.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1412

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1412-123-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1412-124-0x00000000017F0000-0x0000000001B10000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2448-115-0x00000000002A0000-0x000000000032C000-memory.dmp
      Filesize

      560KB

      Download
    • memory/2448-116-0x0000000005240000-0x000000000573E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2448-117-0x0000000004D40000-0x0000000004DD2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2448-118-0x0000000004D40000-0x000000000523E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2448-119-0x0000000004CA0000-0x0000000004CAA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2448-120-0x0000000005080000-0x0000000005094000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2448-121-0x0000000000A50000-0x0000000000AEC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2448-122-0x0000000000C40000-0x0000000000CA6000-memory.dmp
      Filesize

      408KB

      Download