Overview

overview

10

Static

static

SecuriteIn...53.exe

windows7-x64

10

SecuriteIn...53.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    47s
  • max time network
    51s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    31-08-2022 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe

  • Size

    221KB

  • MD5

    b97f2d95c4b21597d3f16064028b3536

  • SHA1

    037ceb6971a7501dc92dd709de15543a4bb0f8ae

  • SHA256

    69a0c9f8165bcb6db8b2f8b3dc4f7cb8535c92db368a95deba521ce9d0cc1008

  • SHA512

    e98b96b027cd89a1e025ae2875fe72197bd0a659583e787bd62c6a0957650b3c52254e8855782078d4c4fc87e9726995fc15e026f6710fa1ba50b88288160790

  • SSDEEP

    3072:qie6Njrjc/Ddpmj9WH6/PgXRBJjWs7EMJfldMW/3eQ3P17jJ4pWV:qQDuA9Wa/PuRBJj6gP74p

Score
10/10
formbookmh76ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Downloads MZ/PE file
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1632
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.BackDoor.SpyBotNET.25.12085.30753.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1632-54-0x0000000000E70000-0x0000000000EAE000-memory.dmp
    Filesize

    248KB

    Download
  • memory/1632-55-0x0000000075631000-0x0000000075633000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1632-56-0x00000000003F0000-0x0000000000400000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2040-57-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2040-58-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2040-61-0x000000000041F1A0-mapping.dmp
    Download
  • memory/2040-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2040-62-0x00000000008E0000-0x0000000000BE3000-memory.dmp
    Filesize

    3.0MB

    Download