Overview

overview

10

Static

static

99912794ef...ad.exe

windows7_x64

10

99912794ef...ad.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    82s
  • max time network
    42s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    09-06-2022 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99912794ef989327c3a99a7afd6439ad.exe

  • Size

    688KB

  • MD5

    99912794ef989327c3a99a7afd6439ad

  • SHA1

    aaee4dbefc9ce54cf45e16b8a921ef16681ee5b5

  • SHA256

    4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353

  • SHA512

    64c9a72beeff481f5ac0656e7b7f64a1e514a224eb236ff9c9dee03696af0f5f043dc0ef8236d6493ca91d91ae2643c4ac45e0fd9aaf854bd290f43bac244188

Score
10/10
formbookfw02ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe
    "C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2036
    • C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe
      "C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1704

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1704-59-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1704-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1704-63-0x000000000041F150-mapping.dmp
    Download
  • memory/1704-62-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1704-64-0x0000000000AE0000-0x0000000000DE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2036-54-0x00000000000A0000-0x0000000000150000-memory.dmp
    Filesize

    704KB

    Download
  • memory/2036-55-0x0000000075C01000-0x0000000075C03000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2036-56-0x00000000004A0000-0x00000000004B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2036-57-0x0000000005270000-0x0000000005302000-memory.dmp
    Filesize

    584KB

    Download
  • memory/2036-58-0x0000000004890000-0x00000000048C4000-memory.dmp
    Filesize

    208KB

    Download