Overview

overview

10

Static

static

9108b35ff3...60.exe

windows7-x64

10

9108b35ff3...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    88s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-01-2023 18:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe

  • Size

    456KB

  • MD5

    60be7286ec1b99627d280ecc8836d8bf

  • SHA1

    54275d9e0644a64409c7ebf428fb896b8fc09cc1

  • SHA256

    9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60

  • SHA512

    4e8639fd733c2a95f0c924f30737aaf7751e1464c9cd04624175daadaa4609cfbccfcde9ab566a679434498374fff413c21c3c461f989262d749af3b3887bd2e

  • SSDEEP

    12288:oRg+au+xD+twE66E9b+2Bpme3r8ptnDBMdK+5rT:R39yipnmeb2DmdbT

Score
10/10
formbookelratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

3.8

Campaign

el

Decoy

fundayinc.com

91shiping.red

piccgz.com

greylockiceandheating.com

6-15hothamstreetstkildaeast.com

bladspiegel.com

xn--ruq41buok09a6r0azmh.com

reallifeandlipstick.com

wwwjinsha594.com

wpnull.info

dtaubman.net

eldhw.win

caringhouseholds.com

texasisrael.com

confiservice.com

unihome.store

xn--doqs90b84tkjg.com

xuanweiping.com

edictiosapiens.com

kalkulatorkredytow.online

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe
    "C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe
      C:\Users\Admin\AppData\Local\Temp\9108b35ff3990b95827cb5c530c3b9e960ea215fb4488b33ad24af92e80c6b60.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3548
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 424
        3⤵
        • Program crash
        PID:4448
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3548 -s 432
        3⤵
        • Program crash
        PID:1432
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 3548 -ip 3548
    1⤵
      PID:3100
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3548 -ip 3548
      1⤵
        PID:1232

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2404-134-0x0000000002240000-0x0000000002246000-memory.dmp

        Filesize

        24KB

        Download

      • memory/2404-136-0x0000000077E40000-0x0000000077FE3000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3548-138-0x0000000077E40000-0x0000000077FE3000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/3548-139-0x0000000000400000-0x000000000042A000-memory.dmp

        Filesize

        168KB

        Download

      • memory/3548-140-0x0000000006C30000-0x0000000006F7A000-memory.dmp

        Filesize

        3.3MB

        Download

      • memory/3548-141-0x0000000077E40000-0x0000000077FE3000-memory.dmp

        Filesize

        1.6MB

        Download