Overview

overview

10

Static

static

3

8c0918e6c0...34.exe

windows7-x64

10

8c0918e6c0...34.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    103s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/04/2023, 08:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8c0918e6c03961d7f82b1ac9466df259b6a1574803efdc94370f728a707af234.exe

  • Size

    585KB

  • MD5

    7df31d97b98a8830fddfc9f2930683ea

  • SHA1

    c3cf705ccad435f61723c1cb71cdcea808d9409b

  • SHA256

    8c0918e6c03961d7f82b1ac9466df259b6a1574803efdc94370f728a707af234

  • SHA512

    2aad4499caef71004243d374bc1750318f67f837db77b46cb3b460b95aa8a32a808191a24c4684c26d09a84d0e12ad8d98f55c37d0e33b40ffb4956e94df0e26

  • SSDEEP

    12288:KanE+NTq4Q5+7s5GenL7gnwmJ2YYBa/4cyrxK7LIEmphPJ:ptORfDc6w/4cAxAhmpb

Score
10/10
formbookne28ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ne28

Decoy

basic-careitem.net

healstockton.com

groupetalentapro.com

geseconevent.com

adornmentwithadrienne.com

lazylynx.se

forestwerx.com

labishu.com

hilykan.com

beyondyoursenses.co.uk

inno-imc.com

driverrehab.online

mantlepies.co.uk

sicepat.net

kiwitownkids.com

infiniumsource.com

motorsolutionswithmakro.co.uk

6pg.shop

zijlont.xyz

corpusskencar.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8c0918e6c03961d7f82b1ac9466df259b6a1574803efdc94370f728a707af234.exe
    "C:\Users\Admin\AppData\Local\Temp\8c0918e6c03961d7f82b1ac9466df259b6a1574803efdc94370f728a707af234.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4464
    • C:\Users\Admin\AppData\Local\Temp\8c0918e6c03961d7f82b1ac9466df259b6a1574803efdc94370f728a707af234.exe
      "C:\Users\Admin\AppData\Local\Temp\8c0918e6c03961d7f82b1ac9466df259b6a1574803efdc94370f728a707af234.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2516

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2516-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/2516-142-0x0000000001590000-0x00000000018DA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4464-133-0x0000000000260000-0x00000000002F8000-memory.dmp

    Filesize

    608KB

    Download

  • memory/4464-134-0x00000000051D0000-0x0000000005774000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/4464-135-0x0000000004CC0000-0x0000000004D52000-memory.dmp

    Filesize

    584KB

    Download

  • memory/4464-136-0x0000000004CB0000-0x0000000004CBA000-memory.dmp

    Filesize

    40KB

    Download

  • memory/4464-137-0x0000000004E00000-0x0000000004E10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4464-138-0x0000000004E00000-0x0000000004E10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4464-139-0x0000000006A70000-0x0000000006B0C000-memory.dmp

    Filesize

    624KB

    Download