Overview

overview

10

Static

static

d85362ebed...3d.exe

windows7-x64

10

d85362ebed...3d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 02:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d85362ebed4b1ec73421fcad1b1ad03d.exe

  • Size

    939KB

  • MD5

    d85362ebed4b1ec73421fcad1b1ad03d

  • SHA1

    70ec5402777057c0ac6cab40698380812341e325

  • SHA256

    dc99d626b36e12c70bcb745c3b7894eda7d7d7c788978eb5ba17beca18e995ab

  • SHA512

    df86d90a862061cf0bea7f8afa75d251be726e6326d778aa52f6e41d322238bf1341d116aa13e878d33603fc2a34d67000b11372c4cc35bd536b3b99e99c4a0c

  • SSDEEP

    12288:ccr2iNUY4IWGjCRqCLg883vVB6l+Gjg34eYJPLByqzNMP1gURVrDJnR6haKnlUvV:3r1ONGjU3LgT//m9jgoeiLBI

Score
10/10
formbookw086ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

w086

Decoy

F6jSz+l9QmYXguG/xUipf/6ixrik

cQZre8twfBVOOJgLenGTGA==

pG5kW2/wqwEOCVxZ

KORXeYwt7wF8J3BR

HL0ZdBMjeHet

TR57b4Yi6wJ8J3BR

fRyK2yaqeDRGHiQTTw==

RwhsqfRxABNZS59wenGTGA==

GuZaY4H4ahcWKjUdVg==

I5C4/Wyz3fglj+o=

Te5QPEu3NjZ0P58LenGTGA==

M9YJLwifZIi9pfnj2Nj/kA6+ZlU=

c/JFdRndG8f/HiQTTw==

nMmcD1UjeHet

QWR7+9Rh8/l8J3BR

9MD+BzOyI6mXtM4w6LMyEA==

WABgaYPqdJzl2TviGbdH

02OexRebqj3+U2kXhQ0=

j17M2R3/fQwFHiQTTw==

dQpReYss5/l8J3BR

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d85362ebed4b1ec73421fcad1b1ad03d.exe
    "C:\Users\Admin\AppData\Local\Temp\d85362ebed4b1ec73421fcad1b1ad03d.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4252
    • C:\Users\Admin\AppData\Local\Temp\d85362ebed4b1ec73421fcad1b1ad03d.exe
      "C:\Users\Admin\AppData\Local\Temp\d85362ebed4b1ec73421fcad1b1ad03d.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3716

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/3716-137-0x0000000000000000-mapping.dmp

    Download

  • memory/3716-138-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3716-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3716-141-0x0000000000401000-0x000000000042F000-memory.dmp

    Filesize

    184KB

    Download

  • memory/3716-142-0x0000000000FA0000-0x00000000012EA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4252-132-0x0000000000D40000-0x0000000000E32000-memory.dmp

    Filesize

    968KB

    Download

  • memory/4252-133-0x0000000005E30000-0x00000000063D4000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4252-134-0x00000000057D0000-0x0000000005862000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4252-135-0x0000000005890000-0x000000000589A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4252-136-0x0000000005A60000-0x0000000005AFC000-memory.dmp

    Filesize

    624KB

    Download