Overview

overview

10

Static

static

ae92821eb7...99.exe

windows7-x64

10

ae92821eb7...99.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    95s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    30-11-2022 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe

  • Size

    793KB

  • MD5

    726a5840b97555349f40590ea60d72d3

  • SHA1

    5a701381a3c7cc84e1260d8a897d4bc6efab2767

  • SHA256

    ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799

  • SHA512

    90226ad99533e3671c8ea0c89bc791558b7004202ad24dc4cfcbfd8efe1e71077bae694d411c6653a63fbb903ae6b7fdbfa2276fa7232e04069535acf3b5039b

  • SSDEEP

    12288:I0BshJaxmfBqNSJWfg2FP/mfVsleSjASHxSbWOIlSrWZmcZxopaFK:oJaxmbolFPWVQxSElQVt

Score
10/10
formbookgbcratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gbc

Decoy

mountaindreamland.com

staticrbandd.com

estatesconstructionco.com

cover-kart.com

riverwayfarm.com

freshdiffuse.com

snkoy.com

itishreehandloom.com

lifespacebuilders.com

ladolcehouse.com

vthisat.com

howdo.support

fortrestpool.com

syndies.com

6e4h7dg0.com

taylorssc.net

shenzhenyunyang.com

technologies.email

newestps5games.com

thinkntyme.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
    "C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe
      "C:\Users\Admin\AppData\Local\Temp\ae92821eb7e6167133ce05d174ee0605a479814a1d5343a3b876780fafd38799.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:576

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/576-58-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/576-59-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/576-62-0x000000000041EAC0-mapping.dmp
    Download
  • memory/576-61-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/576-63-0x0000000000930000-0x0000000000C33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/956-54-0x0000000001100000-0x00000000011CC000-memory.dmp
    Filesize

    816KB

    Download
  • memory/956-55-0x0000000075891000-0x0000000075893000-memory.dmp
    Filesize

    8KB

    Download
  • memory/956-56-0x0000000000310000-0x000000000031A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/956-57-0x0000000000700000-0x0000000000762000-memory.dmp
    Filesize

    392KB

    Download