Overview

overview

10

Static

static

SecuriteIn...42.exe

windows7-x64

10

SecuriteIn...42.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2022 04:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642.exe

  • Size

    850KB

  • MD5

    563e92482225cccdf613e99a5e9c5878

  • SHA1

    19cdb164b288f7eeb0573085dd0618181c7ba19c

  • SHA256

    62d20f5ce8950e995b0736bb3bafedb34f3b7d95f190b3a0a1592d808f697cac

  • SHA512

    c571e069330a3ee8d25ea9ccb4e53de580288e40258e108d7c0ebcef7cbcc58df851366c6f8a4fdb64389fe1ec6478973a72e15fc6f0fe7f784d083497fe6b47

  • SSDEEP

    12288:dp/HG5izZHPnmxRhsonwF4ZwPSS2v77j1I1N7Zd:nZHPmvhsk2D875I1N7

Score
10/10
formbookmmtrratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

mmtr

Decoy

A2DZqKcj5ytLVZtHJA==

fMXPWQG+JWa0S6lZOg==

8kymMDxB6ShVJHxu2gshFtXY9Rw=

1TcOF6WxcdzplqFGcUCNkBY=

k3TLhZ+bOG7ahplcPA==

K4kL5Aq5abHNS6lZOg==

mXDSo9XmxlqYN6psOA==

m+RNCVT4shAb

G1kzROn+2jCug7F5psQ=

qNYsJkWzqwkZ

0BcDQuH0xt4oBh4=

pfRW4ZhmRsEiyvP2Mg==

Sqgj4eztyCg0Ezwo39iHXQ==

bIi2etJbcdUB

k2g3gBesND9hUoKOzGaVFKX6IuUaknqH1Q==

8dFDXQPnb4s+sWfhwoqOdgmABBK+YGg=

Pn9PmDzelx84EjfdzY0WkiRPz6i4

SrUfvOfNO3DMdLvB

GFXHQ9NuPdHsxOiU2umGMSiTvQE=

Kv9sdrhSbDfMdLvB

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4876
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.MSIL.LokiBot.RPS.MTB.10978.4642.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2884

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2884-139-0x0000000000000000-mapping.dmp
    Download
  • memory/2884-140-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2884-142-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2884-143-0x0000000000401000-0x000000000042F000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2884-144-0x0000000001A80000-0x0000000001DCA000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4876-132-0x00000000002E0000-0x00000000003BA000-memory.dmp
    Filesize

    872KB

    Download
  • memory/4876-133-0x0000000005270000-0x0000000005814000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4876-134-0x0000000004C00000-0x0000000004C92000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4876-135-0x0000000005E40000-0x0000000006458000-memory.dmp
    Filesize

    6.1MB

    Download
  • memory/4876-136-0x0000000004D20000-0x0000000004D2A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4876-137-0x000000000A150000-0x000000000A1EC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4876-138-0x000000000A1F0000-0x000000000A256000-memory.dmp
    Filesize

    408KB

    Download