Overview

overview

10

Static

static

Confrim.exe

windows7-x64

10

Confrim.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-12-2022 15:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confrim.exe

  • Size

    1.1MB

  • MD5

    d679583f6e4de9524e8d60f3cfe343eb

  • SHA1

    f321f520befb48399c77e72ab90985f332a2e787

  • SHA256

    a1faaf24f8676e7de55b25544733a19cd47901d8bfdf678fd9c9aab0d6830c28

  • SHA512

    18802914832308dd714b404de7b276fe2a4cdd627c41168cd76c5a56405ff0c6e489de34e16cc3b4583592dca589547c092709d997a18578da8d733a05b14c84

  • SSDEEP

    24576:kfFpFl4M4+rPVketaBTKwNtB1G+GFHBTHG:khABTKIiBjG

Score
10/10
formbookhe2aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

he2a

Decoy

connectioncompass.store

zekicharge.com

dp77.shop

guninfo.guru

mamaeconomics.net

narcisme.coach

redtopassociates.com

ezezn.com

theoregondog.com

pagosmultired.online

emsculptcenterofne.com

meet-friends.online

pf326.com

wealthjigsaw.xyz

arsajib.com

kickassholdings.online

avaturre.biz

dtslogs.com

lb92.tech

pittalam.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Users\Admin\AppData\Local\Temp\Confrim.exe
      "C:\Users\Admin\AppData\Local\Temp\Confrim.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4688
      • C:\Users\Admin\AppData\Local\Temp\Confrim.exe
        "C:\Users\Admin\AppData\Local\Temp\Confrim.exe"
        3⤵
          PID:3296
        • C:\Users\Admin\AppData\Local\Temp\Confrim.exe
          "C:\Users\Admin\AppData\Local\Temp\Confrim.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1620
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Windows\SysWOW64\svchost.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:224
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Confrim.exe"
          3⤵
            PID:1284

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/224-145-0x0000000000000000-mapping.dmp

        Download

      • memory/224-151-0x0000000000C40000-0x0000000000CD4000-memory.dmp

        Filesize

        592KB

        Download

      • memory/224-150-0x00000000004E0000-0x000000000050F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/224-149-0x0000000001100000-0x000000000144A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/224-147-0x00000000004E0000-0x000000000050F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/224-146-0x0000000000C30000-0x0000000000C3E000-memory.dmp

        Filesize

        56KB

        Download

      • memory/1284-148-0x0000000000000000-mapping.dmp

        Download

      • memory/1620-143-0x0000000000F40000-0x0000000000F55000-memory.dmp

        Filesize

        84KB

        Download

      • memory/1620-141-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1620-139-0x0000000000400000-0x000000000042F000-memory.dmp

        Filesize

        188KB

        Download

      • memory/1620-138-0x0000000000000000-mapping.dmp

        Download

      • memory/1620-142-0x0000000000F60000-0x00000000012AA000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/2416-152-0x0000000008B70000-0x0000000008C9A000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2416-153-0x0000000008B70000-0x0000000008C9A000-memory.dmp

        Filesize

        1.2MB

        Download

      • memory/2416-144-0x00000000032B0000-0x000000000338A000-memory.dmp

        Filesize

        872KB

        Download

      • memory/3296-137-0x0000000000000000-mapping.dmp

        Download

      • memory/4688-135-0x0000000005670000-0x000000000567A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/4688-134-0x0000000005690000-0x0000000005722000-memory.dmp

        Filesize

        584KB

        Download

      • memory/4688-136-0x000000000B7F0000-0x000000000B88C000-memory.dmp

        Filesize

        624KB

        Download

      • memory/4688-133-0x0000000005BA0000-0x0000000006144000-memory.dmp

        Filesize

        5.6MB

        Download

      • memory/4688-132-0x0000000000BB0000-0x0000000000CD0000-memory.dmp

        Filesize

        1.1MB

        Download