Overview

overview

10

Static

static

3ff3442c40...11.exe

windows7-x64

10

3ff3442c40...11.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    43s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 16:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3ff3442c4098aed3f2b0c6cb52ecab522a028b18a9bcd1319a79b3dcff05de11.exe

  • Size

    813KB

  • MD5

    1cd16f3fa7973a96a8bd8185f10da1a3

  • SHA1

    2ca8e7705af44b14bd4805e12d0c64b787fdf7f1

  • SHA256

    3ff3442c4098aed3f2b0c6cb52ecab522a028b18a9bcd1319a79b3dcff05de11

  • SHA512

    87bb61ed46130cd7589cd154400bf45ea82eb57c92c3ffb5d163a69cf52de202602bea01f0a1518377d04499c728bd4ad5e02b1789625210dc304cfc7b142f33

  • SSDEEP

    12288:Q1pbZyY47t7pa5bNp0A9RTfYfZMa2yydQ8OQ6rgtkl0Ig95lvTHRyoY:qbKaxRIOa2S8J6080IgvpjRpY

Score
10/10
formbooks20gratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

s20g

Decoy

coconutdap.com

pukka-party.co.uk

apexrp.dev

boostmycredit.info

bipobofficial.com

bjl009.com

kagoshimum.com

crtinha.xyz

longsteephill.co.uk

forfour4.com

adversata.com

lesaek.ru

chafang3.xyz

haungo.net

mynextgen.africa

credit-cards-45560.com

cnc-printing.com

antoniafredrik.se

likemedclinic.ru

gyeakoncert.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3ff3442c4098aed3f2b0c6cb52ecab522a028b18a9bcd1319a79b3dcff05de11.exe
    "C:\Users\Admin\AppData\Local\Temp\3ff3442c4098aed3f2b0c6cb52ecab522a028b18a9bcd1319a79b3dcff05de11.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:364
    • C:\Users\Admin\AppData\Local\Temp\3ff3442c4098aed3f2b0c6cb52ecab522a028b18a9bcd1319a79b3dcff05de11.exe
      "C:\Users\Admin\AppData\Local\Temp\3ff3442c4098aed3f2b0c6cb52ecab522a028b18a9bcd1319a79b3dcff05de11.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/364-54-0x0000000001310000-0x00000000013E2000-memory.dmp
    Filesize

    840KB

    Download
  • memory/364-55-0x0000000075131000-0x0000000075133000-memory.dmp
    Filesize

    8KB

    Download
  • memory/364-56-0x00000000003F0000-0x0000000000406000-memory.dmp
    Filesize

    88KB

    Download
  • memory/364-57-0x0000000000420000-0x000000000042E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/364-58-0x00000000011A0000-0x0000000001210000-memory.dmp
    Filesize

    448KB

    Download
  • memory/364-59-0x0000000000AF0000-0x0000000000B24000-memory.dmp
    Filesize

    208KB

    Download
  • memory/964-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/964-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/964-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/964-64-0x000000000041F120-mapping.dmp
    Download
  • memory/964-65-0x0000000000700000-0x0000000000A03000-memory.dmp
    Filesize

    3.0MB

    Download