Overview

overview

10

Static

static

4a11341c29...94.exe

windows7_x64

10

4a11341c29...94.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    40s
  • max time network
    47s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    12-07-2022 14:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a11341c29c890e791758277f1f3de80a69246fab76aec526680b9075ad6ee94.exe

  • Size

    272KB

  • MD5

    a746979db57e815f500128d266546e66

  • SHA1

    5eb6615875b85e4cb8227bd6fd9542f3c826ceb6

  • SHA256

    4a11341c29c890e791758277f1f3de80a69246fab76aec526680b9075ad6ee94

  • SHA512

    d6b36a19e7cf2e7a28f9649149fc63cf487c4b511b4151c02fa2d01d03b8fb47923b232c22f4eac3e42151bec34e49db24d0fcca11b1fd2d25c4be485692be53

Score
10/10
formbookch73ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

ch73

Decoy

cti-id.net

thewholesomewhore.info

cnhuin.com

heartfueled.life

honeyberryapiary.com

hmolettingsmaidstone.com

cashzingo.com

seltaebs.net

avanti.media

pennyarcadsettlement.com

chatchat3.com

iamtheweekender.com

marniecolette.net

yedaoxing.com

lincout.com

deevonne.com

aliyougou.com

wholistichealthawakening.com

signal.solar

111972.info

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\4a11341c29c890e791758277f1f3de80a69246fab76aec526680b9075ad6ee94.exe
    "C:\Users\Admin\AppData\Local\Temp\4a11341c29c890e791758277f1f3de80a69246fab76aec526680b9075ad6ee94.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1944
    • C:\Users\Admin\AppData\Local\Temp\4a11341c29c890e791758277f1f3de80a69246fab76aec526680b9075ad6ee94.exe
      "C:\Users\Admin\AppData\Local\Temp\4a11341c29c890e791758277f1f3de80a69246fab76aec526680b9075ad6ee94.exe"
      2⤵
        PID:1220

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nsd1A46.tmp\System.dll
      Filesize

      11KB

      MD5

      75ed96254fbf894e42058062b4b4f0d1

      SHA1

      996503f1383b49021eb3427bc28d13b5bbd11977

      SHA256

      a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

      SHA512

      58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

      Download Submit
    • \Users\Admin\AppData\Local\Temp\postmillennialist.dll
      Filesize

      70KB

      MD5

      b274c1ed9903070c97864eaa917bf273

      SHA1

      685e7d1ad7f272cebb4561c5044bb2af227894bc

      SHA256

      ff9077e745e9b2e8f75793280efadd1dd3b921e79fc21311440d79ec4cd7795a

      SHA512

      d075d5c75d98f5b298f329b8f3bd93d38737b24105519b5fee2463122f423c1e9f77b6acf9aa71d5bf2d5fb94b9f36cee12905389a1372498857bcdb5f20e3e7

      Download Submit
    • memory/1220-58-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1220-59-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1220-62-0x000000000041B650-mapping.dmp
      Download
    • memory/1220-61-0x0000000000400000-0x000000000042A000-memory.dmp
      Filesize

      168KB

      Download
    • memory/1220-63-0x0000000000890000-0x0000000000B93000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1944-54-0x0000000075DE1000-0x0000000075DE3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1944-57-0x0000000000500000-0x0000000000516000-memory.dmp
      Filesize

      88KB

      Download