Overview

overview

10

Static

static

3

250a1e2888...b5.exe

windows7-x64

10

250a1e2888...b5.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    124s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/05/2023, 01:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5.exe

  • Size

    661KB

  • MD5

    52884584e2bbbd4506596bf9cdebd4f1

  • SHA1

    2d1a5c85486065bb8e947148ab2d0b22d87da8ef

  • SHA256

    250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5

  • SHA512

    f807fa5abb52d9acbda3fc4f680324526fb7f898f844503d8df57bfa24f5391b23ba4dcb1471cc233a88c1aefc4bd558201c698edfb8a1623faf741f7faadeeb

  • SSDEEP

    12288:E2iN/tAqWV7ej9J7k5LXkW/qXo59YPHcnN/tqjg8ca:E1htAX0j9wkR8nN/Ejg8ca

Score
10/10
formbookupa6ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

upa6

Decoy

farmaciadelverde.com

1whcfc.top

djameshomes.com

kylepauley.social

dawncharitabletrust.com

leverdurable.com

bluxban.online

oceansideglass.net

pcdcompusoft.com

dlunion.net

continuumadvisorypartners.com

tvlfood.com

pillblue.co.uk

1win-site-3.top

e32mbe.shop

mawelk.xyz

garage365.online

commonwealthbank.online

xw-04.com

smartcitiesrecruitment.co.uk

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5.exe
    "C:\Users\Admin\AppData\Local\Temp\250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Users\Admin\AppData\Local\Temp\250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5.exe
      "C:\Users\Admin\AppData\Local\Temp\250a1e2888f6048ef783f5b580b000127d052371042c70b25497fe000ea662b5.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2304-133-0x00000000005C0000-0x000000000066C000-memory.dmp

    Filesize

    688KB

    Download

  • memory/2304-134-0x0000000005590000-0x0000000005B34000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2304-135-0x0000000005080000-0x0000000005112000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2304-136-0x0000000005030000-0x000000000503A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2304-137-0x0000000005280000-0x0000000005290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2304-138-0x0000000005280000-0x0000000005290000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2304-139-0x00000000085A0000-0x000000000863C000-memory.dmp

    Filesize

    624KB

    Download

  • memory/3720-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3720-142-0x00000000017C0000-0x0000000001B0A000-memory.dmp

    Filesize

    3.3MB

    Download