Analysis

  • max time kernel
    247s
  • max time network
    329s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-05-2023 21:41

General

  • Target

    b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe

  • Size

    745KB

  • MD5

    48353808819cf7a6d4557da32df96924

  • SHA1

    188dea1e06e75391cc42fafe84e16396cafae2c9

  • SHA256

    b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf

  • SHA512

    96995e1a500ecff32a36f646d4a5d328f7343a75a3b43a3f0d5a7a73d6769fd015e82bd7c5b47e079149c628e821e87906feb70f2a84d8c6e254649d7a27dbdc

  • SSDEEP

    12288:jBdwsj8LCTdPo7wQbVhc6DTmp2OKlsThMsL9fkFnS:fdj8Lai7/vRDTmYHIMzNS

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m2x5

Decoy

rosetintedglass.com

faeyzawijayasofa.com

sedrik-osvald.online

nothingyun.top

qsoftware.dev

opravka.com

cepteavm.com

dieselmatecivils.com

miscositaspersonalizadas.com

hyxy56.com

tlhhhumor.xyz

heyxin.com

63hdrg1sea9t5by.buzz

chinaita.net

harmonizedwomenshealth.com

explosivearoma.com

biabettv76.com

336rrr.com

168fuzhuang.com

titanj12.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe
    "C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe
      "C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1908

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1908-141-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/1908-143-0x0000000001080000-0x00000000013CA000-memory.dmp

    Filesize

    3.3MB

  • memory/2088-133-0x0000000000D80000-0x0000000000E40000-memory.dmp

    Filesize

    768KB

  • memory/2088-134-0x0000000005EE0000-0x0000000006484000-memory.dmp

    Filesize

    5.6MB

  • memory/2088-135-0x00000000059D0000-0x0000000005A62000-memory.dmp

    Filesize

    584KB

  • memory/2088-136-0x00000000058E0000-0x00000000058F0000-memory.dmp

    Filesize

    64KB

  • memory/2088-137-0x00000000058E0000-0x00000000058F0000-memory.dmp

    Filesize

    64KB

  • memory/2088-138-0x00000000058E0000-0x00000000058F0000-memory.dmp

    Filesize

    64KB

  • memory/2088-139-0x00000000058E0000-0x00000000058F0000-memory.dmp

    Filesize

    64KB

  • memory/2088-140-0x0000000007490000-0x000000000752C000-memory.dmp

    Filesize

    624KB