Overview

overview

10

Static

static

99912794ef...ad.exe

windows7_x64

10

99912794ef...ad.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    91s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    09-06-2022 09:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    99912794ef989327c3a99a7afd6439ad.exe

  • Size

    688KB

  • MD5

    99912794ef989327c3a99a7afd6439ad

  • SHA1

    aaee4dbefc9ce54cf45e16b8a921ef16681ee5b5

  • SHA256

    4df9647b28defe7c3fc9f88602a582bcccb5005edd7b2784c76abb6383925353

  • SHA512

    64c9a72beeff481f5ac0656e7b7f64a1e514a224eb236ff9c9dee03696af0f5f043dc0ef8236d6493ca91d91ae2643c4ac45e0fd9aaf854bd290f43bac244188

Score
10/10
formbookfw02ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe
    "C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4168
    • C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe
      "C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe"
      2⤵
        PID:2888
      • C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe
        "C:\Users\Admin\AppData\Local\Temp\99912794ef989327c3a99a7afd6439ad.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:624

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/624-137-0x0000000000000000-mapping.dmp
      Download
    • memory/624-138-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/624-139-0x0000000001740000-0x0000000001A8A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2888-136-0x0000000000000000-mapping.dmp
      Download
    • memory/4168-130-0x00000000000F0000-0x00000000001A0000-memory.dmp
      Filesize

      704KB

      Download
    • memory/4168-131-0x00000000050A0000-0x0000000005644000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4168-132-0x0000000004B90000-0x0000000004C22000-memory.dmp
      Filesize

      584KB

      Download
    • memory/4168-133-0x0000000004B70000-0x0000000004B7A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4168-134-0x0000000008910000-0x00000000089AC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4168-135-0x0000000008E70000-0x0000000008ED6000-memory.dmp
      Filesize

      408KB

      Download