Overview

overview

10

Static

static

SecuriteIn...04.exe

windows7-x64

10

SecuriteIn...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    78s
  • max time network
    30s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-11-2022 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.CrypterX-gen.16304.exe

  • Size

    902KB

  • MD5

    2c37cb553314943214dc79d2d5cd95d2

  • SHA1

    8d729ace154aae255cc7d20e0038889c1a16b30b

  • SHA256

    5cfdb9f856907336025bbd526f7383ae8edbce669348b8e330251dfe21072c8f

  • SHA512

    fea37cc09a83b578a2911924becca74df9fa1cec27fe182a455cc88b31c91033ceaee5f32bb4ce4e51cb354156da295c3d5281f383264261be0aa467b2bc6686

  • SSDEEP

    24576:0YLeTgdo0x708aTH0wikFauuPZA2FDdEPf:0YLKgDx70j0wikFauuPZAzP

Score
10/10
formbookndgiratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ndgi

Decoy

vuicotvxrejp3il.xyz

w3fa6.net

sappuno02.com

konstruksirumah.xyz

usalifehealth.com

and1f.xyz

atenmentfstinfdow.beauty

primepipe.net

roundhouseny.com

alexandermcqueen.icu

transporteavalos.com

spankmetaverse.xyz

jhccowholesale.com

bielefeldgebaeudereinigung.com

saintraphaelschool.com

larifaa.online

dejabrew.info

izabelaeraphael.com

granniestoneet.com

greensourceseed.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.16304.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.16304.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1128
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.16304.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.16304.exe"
      2⤵
        PID:1556
      • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.16304.exe
        "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.CrypterX-gen.16304.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1228

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1128-54-0x0000000000BA0000-0x0000000000C88000-memory.dmp
      Filesize

      928KB

      Download
    • memory/1128-55-0x00000000766F1000-0x00000000766F3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1128-56-0x0000000000210000-0x0000000000226000-memory.dmp
      Filesize

      88KB

      Download
    • memory/1128-57-0x0000000000230000-0x000000000023E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/1128-58-0x0000000005740000-0x00000000057D4000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1128-59-0x0000000005010000-0x000000000506C000-memory.dmp
      Filesize

      368KB

      Download
    • memory/1228-60-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1228-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1228-64-0x000000000041F180-mapping.dmp
      Download
    • memory/1228-63-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1228-65-0x0000000000840000-0x0000000000B43000-memory.dmp
      Filesize

      3.0MB

      Download