Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
-
submitted
18/05/2023, 13:57
General
-
Target
BANKDETAILS.exe
-
Size
670KB
-
MD5
62de26e79eac6c290961bb1afa81ba1a
-
SHA1
77530bc0c680378aa32fb2e0270872483b9180ab
-
SHA256
0368b2ffa6991460a59b03edcd2ef71c423a27d4902b2222248bc0935776614d
-
SHA512
10ee542999f7fead4c4fedbb6e7345713a5e926d477149178ecb98dbc9231664416e14210bc5c0ea0f9c42ab10c5bae2a82629e5f1d22c17d9109f7e17800e5a
-
SSDEEP
12288:LmghfidoyW343eZQjro5O6hfteIghB6sGnf9Yprmf:LmCid5g4ugwItGsGnf9Y5s
Malware Config
Extracted
formbook
4.1
m82
jamesdevereux.com
artificialturfminneapolis.com
hongmeiyan.com
lojaderoupasbr.com
yit.africa
austinrelocationexpert.com
saiva.page
exitsategy.com
chochonux.com
klosterbraeu-unterliezheim.com
byseymanur.com
sblwarwickshire.co.uk
brazimaid.com
ciogame.com
bronzesailing.com
dwkapl.xyz
022dyd.com
compassandpathwriting.com
alphabet1x.com
selfcleaninghairbrush.co.uk
Signatures
-
Formbook
Formbook is a data stealing malware which is capable of stealing data.
-
Formbook payload 4 IoCs
-
Suspicious use of SetThreadContext 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 42 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 5 IoCs
-
Suspicious use of AdjustPrivilegeToken 5 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\BANKDETAILS.exe"C:\Users\Admin\AppData\Local\Temp\BANKDETAILS.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
688KB
-
Filesize
5.6MB
-
Filesize
584KB
-
Filesize
40KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
624KB
-
Filesize
1.6MB
-
Filesize
1.6MB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
632KB
-
Filesize
3.3MB
-
Filesize
188KB
-
Filesize
188KB
-
Filesize
84KB
-
Filesize
120KB
-
Filesize
188KB
-
Filesize
3.3MB
-
Filesize
188KB
-
Filesize
120KB
-
Filesize
592KB