Overview

overview

10

Static

static

c1d74ec41c...15.exe

windows7-x64

10

c1d74ec41c...15.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    46s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28/10/2022, 06:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1d74ec41c57e24503bb5f05117a0215.exe

  • Size

    873KB

  • MD5

    c1d74ec41c57e24503bb5f05117a0215

  • SHA1

    47bd6a606edd6229962526f5488c5c8635acc50e

  • SHA256

    ab380ec497114c124eaabbb96f643cb20dfb24d0618be4934c19c4062f82fa71

  • SHA512

    43ab24a193c2c5698c4a6d5fb6122f29204109dd608c1bd936be5104f2da29d3996cfdf6b20cbfc2d83559f0b2691f6f6dd9d098fc0ef4710b0e0b5997249bbf

  • SSDEEP

    12288:Rqh702iNpEmR/B4C0UW6Tggk3PuhB4QJP1vwY1LFUFWs8JTEc72d/DW7UKt:d1BWU7ggnhfrvwY15UIDhAg

Score
10/10
formbookhn73ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hn73

Decoy

medusaams.com

ekyas.com

deadandcompanyindianapolis.net

winnersclub.live

gozero.buzz

sdmfeh.xyz

rikfiri.com

happyworld.tech

oculusquest2linkcable.com

cksexdoll.top

aitechconsulting.net

prstampsevery.shop

kioskdz.com

fogg.productions

7gu7x5mc.com

thefactoryco.com

dvsmanpowerenterprises.com

dreamwins5.com

bgs-abogados.com

arthursouza.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe
    "C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:992
    • C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe
      "C:\Users\Admin\AppData\Local\Temp\c1d74ec41c57e24503bb5f05117a0215.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/668-60-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/668-61-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/668-63-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/668-65-0x0000000000950000-0x0000000000C53000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/992-54-0x0000000000DC0000-0x0000000000EA0000-memory.dmp

    Filesize

    896KB

    Download

  • memory/992-55-0x0000000076561000-0x0000000076563000-memory.dmp

    Filesize

    8KB

    Download

  • memory/992-56-0x0000000000930000-0x0000000000948000-memory.dmp

    Filesize

    96KB

    Download

  • memory/992-57-0x00000000004A0000-0x00000000004AC000-memory.dmp

    Filesize

    48KB

    Download

  • memory/992-58-0x0000000005740000-0x00000000057EC000-memory.dmp

    Filesize

    688KB

    Download

  • memory/992-59-0x0000000000D50000-0x0000000000DC4000-memory.dmp

    Filesize

    464KB

    Download