Overview

overview

10

Static

static

8f361d8882...76.exe

windows7-x64

10

8f361d8882...76.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 02:10

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe

  • Size

    926KB

  • MD5

    fbcb87e65d3a23b4fe229aeace34621f

  • SHA1

    8139f123069e7e7632331779de8ed6d5031efcd1

  • SHA256

    8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876

  • SHA512

    1585b0c6b35bf4cb2c00b82079755e1c536d0a912c307fbbb2028e28b9f88d0cfd9272d459836b064a9893983dd25c1fba2aeeff25ab4ba50c9fd664ff25bd36

  • SSDEEP

    12288:8UUq1vQWztAJchTCRjN1McME0s2BJOwxmGr5t:V17W2hTMN1tZ0s2BJOwxV

Score
10/10
formbookawquratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

awqu

Decoy

soltwin24horas.com

kaiget.com

majalahlangitan.com

preventable.top

caronandtom.com

2222k06.com

hdrezkart54ff.net

supermessage.xyz

dezeenb.com

bestatakes.xyz

californiasportsbar.com

hxg66.xyz

localxgirl.online

educ-ability.com

b2breferralshop.online

miamicollisioncenter.com

bjcxqcdb.com

barrineauparkbees.com

robotics6.com

web-bastler.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
    "C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4656
    • C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe
      "C:\Users\Admin\AppData\Local\Temp\8f361d8882f426ba9ebfe5c5d76a9a459cb8554d93c369864726dda441026876.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1732

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1732-138-0x0000000000000000-mapping.dmp
    Download
  • memory/1732-139-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1732-140-0x0000000001A50000-0x0000000001D9A000-memory.dmp
    Filesize

    3.3MB

    Download
  • memory/4656-132-0x00000000006E0000-0x00000000007CE000-memory.dmp
    Filesize

    952KB

    Download
  • memory/4656-133-0x0000000005740000-0x0000000005CE4000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/4656-134-0x0000000005190000-0x0000000005222000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4656-135-0x0000000005160000-0x000000000516A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4656-136-0x0000000008B80000-0x0000000008C1C000-memory.dmp
    Filesize

    624KB

    Download
  • memory/4656-137-0x0000000008CA0000-0x0000000008D06000-memory.dmp
    Filesize

    408KB

    Download