Overview

overview

10

Static

static

9e50ed0943...7c.exe

windows7_x64

10

9e50ed0943...7c.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    79s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    31-01-2022 12:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9e50ed09439b4f2206f6cee1b233677c.exe

  • Size

    510KB

  • MD5

    9e50ed09439b4f2206f6cee1b233677c

  • SHA1

    719705903de481a3c680db18f8cef892efef3dc7

  • SHA256

    b45a38f7012d02b12d3613d25450847d87c14c9b3207380594fc5e1f1b1728d9

  • SHA512

    927789d6fca24317b1cc41825485cf06cf337204d8007b32220ef2fb28ee48275102a9148682336f76e7586e5ed714d1de2098c08886ea1b76007880a5c45d80

Score
10/10
formbookbt33persistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bt33

Decoy

mbaonlinefreedegress.info

myforevermaid.com

daoyi365.com

weientm.com

legal-mx.com

formationrigging.com

heidiet.xyz

school-prosto.store

healthvitaminnutrition.com

digitalsolutionusa.com

little-bazar.com

jnbeautycanada.com

optoelek.com

learntoairmail.com

hawkminer.com

kingofearth.love

ktnstay.xyz

zouxin.love

mainlandpr.com

mamm-hummel.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Sets service image path in registry 2 TTPs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Modifies data under HKEY_USERS 41 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9e50ed09439b4f2206f6cee1b233677c.exe
    "C:\Users\Admin\AppData\Local\Temp\9e50ed09439b4f2206f6cee1b233677c.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:916
    • C:\Users\Admin\AppData\Local\Temp\9e50ed09439b4f2206f6cee1b233677c.exe
      "C:\Users\Admin\AppData\Local\Temp\9e50ed09439b4f2206f6cee1b233677c.exe"
      2⤵
        PID:2100
      • C:\Users\Admin\AppData\Local\Temp\9e50ed09439b4f2206f6cee1b233677c.exe
        "C:\Users\Admin\AppData\Local\Temp\9e50ed09439b4f2206f6cee1b233677c.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1020
    • C:\Windows\System32\WaaSMedicAgent.exe
      C:\Windows\System32\WaaSMedicAgent.exe 0048a8bd3e55df3f36d8f69936799031 neWrerG0IkW2h9X5MLBNpw.0.1.0.0.0
      1⤵
      • Modifies data under HKEY_USERS
      PID:1176

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/916-133-0x0000000000C20000-0x0000000000CA6000-memory.dmp
      Filesize

      536KB

      Download
    • memory/916-134-0x0000000005790000-0x0000000005791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/916-135-0x0000000005840000-0x00000000058D2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/916-136-0x0000000005B80000-0x0000000005C1C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/916-137-0x0000000006550000-0x0000000006AF4000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/1020-138-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download