Analysis
-
max time kernel
247s -
max time network
329s -
platform
windows10-2004_x64 -
resource
win10v2004-20230221-en -
resource tags
arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system -
submitted
06-05-2023 21:41
Static task
static1
Behavioral task
behavioral1
Sample
b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe
Resource
win7-20230220-en
General
-
Target
b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe
-
Size
745KB
-
MD5
48353808819cf7a6d4557da32df96924
-
SHA1
188dea1e06e75391cc42fafe84e16396cafae2c9
-
SHA256
b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf
-
SHA512
96995e1a500ecff32a36f646d4a5d328f7343a75a3b43a3f0d5a7a73d6769fd015e82bd7c5b47e079149c628e821e87906feb70f2a84d8c6e254649d7a27dbdc
-
SSDEEP
12288:jBdwsj8LCTdPo7wQbVhc6DTmp2OKlsThMsL9fkFnS:fdj8Lai7/vRDTmYHIMzNS
Malware Config
Extracted
formbook
4.1
m2x5
rosetintedglass.com
faeyzawijayasofa.com
sedrik-osvald.online
nothingyun.top
qsoftware.dev
opravka.com
cepteavm.com
dieselmatecivils.com
miscositaspersonalizadas.com
hyxy56.com
tlhhhumor.xyz
heyxin.com
63hdrg1sea9t5by.buzz
chinaita.net
harmonizedwomenshealth.com
explosivearoma.com
biabettv76.com
336rrr.com
168fuzhuang.com
titanj12.com
swifttsales.com
igosheva.website
232zzz.com
calculatenow.net
ismagency.biz
thecreativesoulart.com
networkedfarm.com
shopiceelement.com
leagu.net
quangcao365.com
splycstms.app
paranpameriga.online
ejhfjhfelhelh.xyz
holisticstorycoach.com
parcaextra.com
newocr.xyz
zhengqi185.com
malaysiavisit.com
nekomimi.site
clikeykeyboard.com
du6s.top
avimanolan.com
zbxvjyj.com
slut1.com
jimmysbronxreserve.com
wsddsm.com
abbas-autos.com
jetableadhesive.com
vanyandos.online
web3convergence.com
muskcryptogiving.site
haodandang.com
cmfuku.top
moralesautoworks.com
riway.life
bobthebulldog.store
millwork1.site
conmejefe.online
shritianada.com
atendimentopf.link
prometheanworlds.com
codeofwolf.top
autodidactepetitreparation.com
dianaflinch.com
summery.asia
Signatures
-
Formbook payload 1 IoCs
resource yara_rule behavioral2/memory/1908-141-0x0000000000400000-0x000000000042F000-memory.dmp formbook -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2088 set thread context of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84 -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1908 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 1908 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2088 wrote to memory of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84 PID 2088 wrote to memory of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84 PID 2088 wrote to memory of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84 PID 2088 wrote to memory of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84 PID 2088 wrote to memory of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84 PID 2088 wrote to memory of 1908 2088 b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe"C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2088 -
C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe"C:\Users\Admin\AppData\Local\Temp\b5e3575e253ae6811203e02d42fda718a5655baec9545f839ceb4473e5de33bf.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1908
-