Overview

overview

10

Static

static

f6c8a8e534...23.exe

windows7-x64

10

f6c8a8e534...23.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-08-2022 07:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f6c8a8e5346a698e0733248a0ec6e323.exe

  • Size

    320KB

  • MD5

    f6c8a8e5346a698e0733248a0ec6e323

  • SHA1

    6e0be3bcd53afae69635fdecb1b7f350f9306563

  • SHA256

    fc6dd1debc45ce8b420b281bda6fdf1bc103e4c977009a954924ca50d95bd7ba

  • SHA512

    076578e7d60d26215fb7f43b58873abda5ee83bf31d8969b0a0ca9a8bdf91774487ece9d6ffb6a32c57154269d84f9ac2c3926bc76e944b87c59fc9f2d5dfd84

Score
10/10
formbookeni9ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

eni9

Decoy

serenatutino.com

oshuncleaningservices.com

themodernring.com

elhoodurbano.com

borntobeabrand.com

wingene168.com

raising.cloud

kumen.store

azdistribution.store

myrecordingapp.com

minshu.info

zhongxiangxinge.com

linentemptation.com

corealestatevideo.com

carpection.com

mompreneur.services

ent34.com

udicoin.net

trulyclassical.com

paraalemdatela.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f6c8a8e5346a698e0733248a0ec6e323.exe
    "C:\Users\Admin\AppData\Local\Temp\f6c8a8e5346a698e0733248a0ec6e323.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4936
    • C:\Users\Admin\AppData\Local\Temp\f6c8a8e5346a698e0733248a0ec6e323.exe
      "C:\Users\Admin\AppData\Local\Temp\f6c8a8e5346a698e0733248a0ec6e323.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4492

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4492-134-0x0000000000000000-mapping.dmp

    Download

  • memory/4492-135-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/4492-136-0x0000000001720000-0x0000000001A6A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4936-132-0x0000000000260000-0x00000000002B4000-memory.dmp

    Filesize

    336KB

    Download

  • memory/4936-133-0x0000000005150000-0x00000000056F4000-memory.dmp

    Filesize

    5.6MB

    Download