Overview

overview

10

Static

static

SecuriteIn...04.exe

windows7-x64

10

SecuriteIn...04.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-12-2022 09:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SecuriteInfo.com.Win32.RATX-gen.2018.30304.exe

  • Size

    946KB

  • MD5

    591e345ed1a7fa929b80cce8790e460f

  • SHA1

    9992eadbc531dce1185f22b360410cbd11bd1989

  • SHA256

    663d25f6a1e39bebdacdb5164e441faaa4466a00ed636b360c1d981a5f92c5d8

  • SHA512

    f765de77da52cb578a3a2a7ab0f3d8a34baa96db982f972dbe3bead73e418992ea5bf018b3619556ef83a9d05342b7c176579982fd017b9eeee3c75269dd7863

  • SSDEEP

    24576:sqndl9aebRk+T7CYWL1wCE7HuzsthZmBHG:Ld3pbq+nnWL1w3TTthSH

Score
10/10
formbookndgiratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ndgi

Decoy

vuicotvxrejp3il.xyz

w3fa6.net

sappuno02.com

konstruksirumah.xyz

usalifehealth.com

and1f.xyz

atenmentfstinfdow.beauty

primepipe.net

roundhouseny.com

alexandermcqueen.icu

transporteavalos.com

spankmetaverse.xyz

jhccowholesale.com

bielefeldgebaeudereinigung.com

saintraphaelschool.com

larifaa.online

dejabrew.info

izabelaeraphael.com

granniestoneet.com

greensourceseed.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.2018.30304.exe
    "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.2018.30304.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4964
    • C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.2018.30304.exe
      "C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.2018.30304.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/4152-137-0x0000000000000000-mapping.dmp
    Download
  • memory/4152-138-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/4152-139-0x0000000000EE0000-0x000000000122A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4964-132-0x0000000000980000-0x0000000000A72000-memory.dmp
    Filesize

    968KB

    Download
  • memory/4964-133-0x0000000005B50000-0x00000000060F4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4964-134-0x0000000005480000-0x0000000005512000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4964-135-0x00000000053F0000-0x00000000053FA000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4964-136-0x00000000063E0000-0x000000000647C000-memory.dmp
    Filesize

    624KB

    Download