Overview

overview

10

Static

static

34dccb3834...c8.exe

windows7_x64

10

34dccb3834...c8.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    45s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    19-06-2022 19:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe

  • Size

    476KB

  • MD5

    ea607d1b385e45422cc153a5f732e98a

  • SHA1

    8dee62a8a8e22bfc9245ea2700146a78894f28f2

  • SHA256

    34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8

  • SHA512

    12785f1957cab60b3e24ed0c4150d7ba1a4095410cd3697ea44ae0233284398a51787b0f6a53bdfb33d26fb5a116323a103082d19dcd263ba9b9bbee48133279

Score
10/10
formbookshratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

sh

Decoy

ziyafetkebaprize.com

minigirl69.com

emmashawbarry.com

resolving-an-issue.info

chefmorn.com

positivelypeach.com

industrial-plc.com

news3102.pictures

robinhunghau.com

cookarevegan.online

4hlf3uvgl6v.biz

eurekaposters.com

widenewtown.life

snprovidedengineering.com

elpcb.com

kabinet-megafon.info

roturapuentetermico.com

hao641.com

freshness.farm

casino1.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe
    "C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1864
    • C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe
      "C:\Users\Admin\AppData\Local\Temp\34dccb3834daf8ababcf35c58e995e322cd5edd5780bfc944ce1a46a07e2b2c8.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1284

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1284-57-0x0000000000400000-0x000000000042A000-memory.dmp
    Filesize

    168KB

    Download
  • memory/1284-58-0x000000000041B660-mapping.dmp
    Download
  • memory/1284-59-0x00000000009A0000-0x0000000000CA3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1864-54-0x00000000002F0000-0x000000000036E000-memory.dmp
    Filesize

    504KB

    Download
  • memory/1864-55-0x0000000075A61000-0x0000000075A63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1864-56-0x0000000000550000-0x0000000000570000-memory.dmp
    Filesize

    128KB

    Download