Analysis
-
max time kernel
141s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
-
submitted
30-11-2022 12:10
General
-
Target
5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe
-
Size
368KB
-
MD5
561189349e7ef1918a4c27182a279ca6
-
SHA1
37165c0b5bd29f23664d55e0e4279f89ccde4275
-
SHA256
5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e
-
SHA512
96ec8f72b5b031b8724296f620ba3b2e64295da62ae4d56e2d00b84d01bbbe3f3488f51ecdf7ab297b347574783ca4fad1105a1ee5fb97136affa6358c746e55
-
SSDEEP
6144:dt39+IGUiggkeVXZtFz/icY6FBXmyskHrBggUBmefTm2+zNXsl37t:CgWVXZj/XBGyskdgpfT
Malware Config
Extracted
formbook
3.9
ch
dfjz88.com
realtorscreek.com
pl8v5z.info
thicdienthoai.com
areauruguay.com
shimizu-yado.com
apples5.com
hothip.net
jm-legal.online
bkinfo28.online
edificiosakura.net
biodesixlungreflex.com
segurosblanco.com
atsintech.solutions
steuerberaterfinden.com
ojjul.com
udcomputer.com
grovescashflow.com
inglot-jlo.com
docteursnuisible.com
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 2 IoCs
-
Drops file in Windows directory 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of FindShellTrayWindow 4 IoCs
-
Suspicious use of SendNotifyMessage 4 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 3 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"1⤵
- Drops file in Windows directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"C:\Users\Admin\AppData\Local\Temp\5d11d75dc9ecba71d33f246f0f277ffec929402f96c132d186a398e6942ffb7e.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\win.iniFilesize
123B
MD56bf517432f65eb7f0d18d574bf14124c
SHA15b9f37c1dd1318ebbec3bd2f07c109eb9d22c727
SHA2566e2b70dfccabf3cc651545676a3a566c9cfae03f15f772886646abce1da35b46
SHA5127b0cb8c20034585ec8bf4b45eda5eda5993a56e24931a7426dc5a9f081ec1f82545f3e26a48a4df885c8691fc6e8026d0808aebe3cc3358ba85ddca08ac4cb06
-
memory/996-142-0x00007FF9E6370000-0x00007FF9E6565000-memory.dmpFilesize
2.0MB
-
memory/996-143-0x0000000077880000-0x0000000077A23000-memory.dmpFilesize
1.6MB
-
memory/996-134-0x0000000002370000-0x0000000002378000-memory.dmpFilesize
32KB
-
memory/996-139-0x0000000002370000-0x0000000002378000-memory.dmpFilesize
32KB
-
memory/5032-140-0x0000000000400000-0x0000000000461000-memory.dmpFilesize
388KB
-
memory/5032-141-0x0000000000400000-0x000000000042A000-memory.dmpFilesize
168KB
-
memory/5032-135-0x0000000000000000-mapping.dmp
-
memory/5032-144-0x0000000002150000-0x0000000002158000-memory.dmpFilesize
32KB
-
memory/5032-145-0x00007FF9E6370000-0x00007FF9E6565000-memory.dmpFilesize
2.0MB
-
memory/5032-146-0x0000000077880000-0x0000000077A23000-memory.dmpFilesize
1.6MB
-
memory/5032-147-0x00000000216C0000-0x0000000021A0A000-memory.dmpFilesize
3.3MB
-
memory/5032-148-0x0000000077880000-0x0000000077A23000-memory.dmpFilesize
1.6MB
-
memory/5032-149-0x0000000077880000-0x0000000077A23000-memory.dmpFilesize
1.6MB