Overview

overview

10

Static

static

ab4aa8ad80...75.exe

windows7-x64

10

ab4aa8ad80...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    180s
  • max time network
    198s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25-11-2022 09:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ab4aa8ad802b02869eaea9832e919459f3d0f320d23e95589a14bd16d8c52875.exe

  • Size

    631KB

  • MD5

    4f9200c489a9fe2be198fc29f99dc23d

  • SHA1

    8e890ec88655d62985ad10855c95fa5e5c096d61

  • SHA256

    ab4aa8ad802b02869eaea9832e919459f3d0f320d23e95589a14bd16d8c52875

  • SHA512

    71e0cce3a819bc9f9072258fb8ce2bddb99a295fa040b8f7fb492723109546cabb8970139e191e9e71fadfb1bc1c1e58deec2fc99dc80ac88c75c2890afe3fd3

  • SSDEEP

    12288:+AL7KcWiCvp4SwsnBuiECuTq11kV7wTa/yZ901uENlurBB:rL7Khpb1ECuLMSyZ9MXNl

Score
10/10
formbookkakvratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

kakv

Decoy

toilysoncaocap.com

luisxe.info

casinor.xyz

ab3262.com

milanoise.com

ikeedojoja.net

fix-pert.com

relocatingland.com

brewskymc.com

eftmississippi.com

helpmewithmyenergy.com

ctuppo.com

loyolalabschool.com

brainstormoutlet.com

merlindeppeler.com

sjditsolutions.tech

smiletakuhai.com

recovatek.com

pyonkichim78.com

scvs.site

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ab4aa8ad802b02869eaea9832e919459f3d0f320d23e95589a14bd16d8c52875.exe
    "C:\Users\Admin\AppData\Local\Temp\ab4aa8ad802b02869eaea9832e919459f3d0f320d23e95589a14bd16d8c52875.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:220
    • C:\Users\Admin\AppData\Local\Temp\ab4aa8ad802b02869eaea9832e919459f3d0f320d23e95589a14bd16d8c52875.exe
      "C:\Users\Admin\AppData\Local\Temp\ab4aa8ad802b02869eaea9832e919459f3d0f320d23e95589a14bd16d8c52875.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1796

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/220-132-0x0000000000490000-0x0000000000532000-memory.dmp

    Filesize

    648KB

    Download

  • memory/220-133-0x00000000053D0000-0x0000000005974000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/220-134-0x0000000004F00000-0x0000000004F92000-memory.dmp

    Filesize

    584KB

    Download

  • memory/220-135-0x0000000005260000-0x000000000526A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/220-136-0x0000000005F90000-0x000000000602C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/1796-137-0x0000000000000000-mapping.dmp

    Download

  • memory/1796-138-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1796-139-0x00000000017B0000-0x0000000001AFA000-memory.dmp

    Filesize

    3.3MB

    Download