Overview

overview

10

Static

static

SecuriteIn...14.exe

windows7-x64

10

SecuriteIn...14.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    102s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    06-12-2022 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe

  • Size

    732KB

  • MD5

    1489d7e40e1691026ff98c8bf1a83eee

  • SHA1

    e08a1b6b74fe0d35bc2f19ed90ae90839958a45c

  • SHA256

    53176c142b4a57f89c57ed969d3a578640841c09db2a58bc9f360a636c8d5947

  • SHA512

    4ea9470172510717f0d84fc469bb3cb9eb3146da7e868030543c2d7a2ce532f264525ec0d3ff185bbce1bf4476719a4c175130734c672ab9c3a2acc4651ab8d0

  • SSDEEP

    12288:awlTqmomPZefvYh9J5rArqIyJdY4fJmIQEBg3BCJCfIUc5Yytl1sPtqvyun/Y:9omxiv6b5rA7wdYicEnCwUcSytwQF/Y

Score
10/10
formbookndgiratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ndgi

Decoy

vuicotvxrejp3il.xyz

w3fa6.net

sappuno02.com

konstruksirumah.xyz

usalifehealth.com

and1f.xyz

atenmentfstinfdow.beauty

primepipe.net

roundhouseny.com

alexandermcqueen.icu

transporteavalos.com

spankmetaverse.xyz

jhccowholesale.com

bielefeldgebaeudereinigung.com

saintraphaelschool.com

larifaa.online

dejabrew.info

izabelaeraphael.com

granniestoneet.com

greensourceseed.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.PWSX-gen.15269.16914.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:520

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/520-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/520-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/520-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/520-64-0x000000000041F180-mapping.dmp
    Download
  • memory/520-65-0x0000000000850000-0x0000000000B53000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1172-54-0x0000000000DB0000-0x0000000000E6C000-memory.dmp
    Filesize

    752KB

    Download
  • memory/1172-55-0x0000000075531000-0x0000000075533000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1172-56-0x00000000009E0000-0x00000000009FA000-memory.dmp
    Filesize

    104KB

    Download
  • memory/1172-57-0x0000000000310000-0x000000000031E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1172-58-0x0000000004E10000-0x0000000004E8A000-memory.dmp
    Filesize

    488KB

    Download
  • memory/1172-59-0x0000000000BE0000-0x0000000000C20000-memory.dmp
    Filesize

    256KB

    Download