Overview

overview

10

Static

static

f0523a3740...e1.exe

windows7-x64

10

f0523a3740...e1.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    39s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    29-01-2023 17:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    f0523a3740dcc2d5e2aba1ed1ffa39466017fef13375e0167d71382037175be1.exe

  • Size

    501KB

  • MD5

    3b92452984ee117a07b0a79d2932f3cb

  • SHA1

    4996654a39d238bb91bb464edfa3d301c516ce69

  • SHA256

    f0523a3740dcc2d5e2aba1ed1ffa39466017fef13375e0167d71382037175be1

  • SHA512

    f8b9944cc675b6d6a331994d6c17bd434670d1438bb9bd449307413e941f0aeb82e18717d40fe68852a0e8923c09186065d2a93d73695ced82930bc036648d06

  • SSDEEP

    12288:J2xbIeZ3fmiS4s5Xkg3Fo9Aqbkd2/z+rA:wbIeZ3unzXkYo9Aqb2s

Score
10/10
formbookkoratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.9

Campaign

ko

Decoy

batatproject.com

mydaxuetang.com

clmproject.com

die-erste-werkstatt.com

constructiveproductions.com

vorhersage.net

jonathanandcolleen.com

crmparis.com

thesexpistolsvevo.com

sauna.media

osmspayments.net

320903.com

keshuotech.com

smpql.com

ssgan75.com

651bifa.com

weyena.com

lauraradu.com

carbuco.com

thejobdocs.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\f0523a3740dcc2d5e2aba1ed1ffa39466017fef13375e0167d71382037175be1.exe
    "C:\Users\Admin\AppData\Local\Temp\f0523a3740dcc2d5e2aba1ed1ffa39466017fef13375e0167d71382037175be1.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:956
    • C:\Users\Admin\AppData\Local\Temp\f0523a3740dcc2d5e2aba1ed1ffa39466017fef13375e0167d71382037175be1.exe
      C:\Users\Admin\AppData\Local\Temp\f0523a3740dcc2d5e2aba1ed1ffa39466017fef13375e0167d71382037175be1.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/956-61-0x0000000077340000-0x00000000774C0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/956-57-0x0000000075B61000-0x0000000075B63000-memory.dmp

    Filesize

    8KB

    Download

  • memory/956-56-0x00000000002E0000-0x00000000002E7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/956-59-0x00000000002E0000-0x00000000002E7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/956-60-0x0000000077160000-0x0000000077309000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1344-62-0x00000000001B0000-0x00000000001B7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1344-65-0x0000000000400000-0x000000000042A000-memory.dmp

    Filesize

    168KB

    Download

  • memory/1344-64-0x0000000000400000-0x000000000047D000-memory.dmp

    Filesize

    500KB

    Download

  • memory/1344-66-0x00000000001B0000-0x00000000001B7000-memory.dmp

    Filesize

    28KB

    Download

  • memory/1344-67-0x0000000077160000-0x0000000077309000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1344-68-0x0000000077340000-0x00000000774C0000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1344-69-0x0000000006810000-0x0000000006B13000-memory.dmp

    Filesize

    3.0MB

    Download