Overview

overview

10

Static

static

e9aa6a27ec...1f.exe

windows7-x64

10

e9aa6a27ec...1f.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    109s
  • max time network
    48s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 13:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e9aa6a27ec892b6f181ce3b02ad0bdcc89a57ef61095d6328c78a96d1147111f.exe

  • Size

    996KB

  • MD5

    328b0fa25e033f6f2551f4466e2010a4

  • SHA1

    f418096848ecf5cb9f23ae98d9b521e47e6dad36

  • SHA256

    e9aa6a27ec892b6f181ce3b02ad0bdcc89a57ef61095d6328c78a96d1147111f

  • SHA512

    3e1b979c6250602a6408c709f8d2dfb9b8588b186e7f31e5907a15c160efc8528bff3d0c7b4b9f8380967a144ca618d83698b38d5e6dee85b060a249989a269b

  • SSDEEP

    12288:7Ihm7pdgj6jRPLjRPqjBjjyjBjBjBjBjLjGR9gsapVG/z7hACpzaxBDfQ/NRYvz9:El3IifOCpzqVaNRA2QM5

Score
10/10
formbookgbrratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbr

Decoy

serabet.com

galanggroup.com

zweitmeinung-urologie.com

damsalon.com

binliwine.com

lifeladderindia.com

flyingwranchmanagement.com

tripsandturns.com

3headdesign.com

aluminumfacade.com

toprestau.com

facetreatspa.com

periodrescuekit.com

dbaojian.com

altinotokurtarma.com

gkpelle.com

loguslife.com

treatse.com

lghglzcnkx.net

jawharabh.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e9aa6a27ec892b6f181ce3b02ad0bdcc89a57ef61095d6328c78a96d1147111f.exe
    "C:\Users\Admin\AppData\Local\Temp\e9aa6a27ec892b6f181ce3b02ad0bdcc89a57ef61095d6328c78a96d1147111f.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1768
    • C:\Users\Admin\AppData\Local\Temp\e9aa6a27ec892b6f181ce3b02ad0bdcc89a57ef61095d6328c78a96d1147111f.exe
      "C:\Users\Admin\AppData\Local\Temp\e9aa6a27ec892b6f181ce3b02ad0bdcc89a57ef61095d6328c78a96d1147111f.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:884
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}
    1⤵
      PID:1144

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/884-58-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/884-59-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/884-61-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/884-62-0x000000000041EB10-mapping.dmp

      Download

    • memory/884-63-0x00000000008A0000-0x0000000000BA3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1768-54-0x0000000000F50000-0x0000000001050000-memory.dmp

      Filesize

      1024KB

      Download

    • memory/1768-55-0x0000000075931000-0x0000000075933000-memory.dmp

      Filesize

      8KB

      Download

    • memory/1768-56-0x0000000000360000-0x000000000036A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/1768-57-0x0000000004DE0000-0x0000000004E3C000-memory.dmp

      Filesize

      368KB

      Download