Overview

overview

10

Static

static

3

b1d6939bbb...0a.exe

windows7-x64

10

b1d6939bbb...0a.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/07/2023, 10:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a.exe

  • Size

    800KB

  • MD5

    ec39b68632b1c21cce891735808e5bad

  • SHA1

    367eb9ce7776adb301bdd27f51ac632e10184482

  • SHA256

    b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a

  • SHA512

    9bce138a8be3c9272c883e230eedbee66b8070c34ebe1c8c6dfe1bea1813fcd28800a95720fee10910a64eaa25b0b2b3cf24502b73ef4f88cd5e22aefa69794e

  • SSDEEP

    12288:ioAcuF6mn1DHLZnvJ15iOe42KMu/N3mWhQmwmJCMpU+ZPjyzggl9SoUNUEkN/m8V:giOV/NOa7Pjysg2pYTY9ozxwU8EJBKM

Score
10/10
formbookct45ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ct45

Decoy

aeepi.com

lifestyledoneright.com

dilojakac.cfd

vievnsfabula.xyz

jiggirirecords.com

sklaap.xyz

prepper.day

tahta4d-vip.info

p94d3.xyz

17819.vip

gptvoucher.com

ig2x0m.com

croppdtt.com

hnnhiuqme6e701.xyz

zeis.xyz

w77773.com

inspantringa.cfd

webnative.xyz

haahhuzns1okd1.xyz

thinkingmansguidetowomen.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a.exe
    "C:\Users\Admin\AppData\Local\Temp\b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2688
    • C:\Users\Admin\AppData\Local\Temp\b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a.exe
      "C:\Users\Admin\AppData\Local\Temp\b1d6939bbb4a9f66306d13bd4b0cd7a59fbe69c451c3bd2df836a65c1114f70a.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:64

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/64-140-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/64-142-0x0000000001AB0000-0x0000000001DFA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/64-143-0x0000000001AB0000-0x0000000001DFA000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/2688-133-0x00000000003C0000-0x000000000048E000-memory.dmp

    Filesize

    824KB

    Download

  • memory/2688-134-0x00000000053E0000-0x0000000005984000-memory.dmp

    Filesize

    5.6MB

    Download

  • memory/2688-135-0x0000000004ED0000-0x0000000004F62000-memory.dmp

    Filesize

    584KB

    Download

  • memory/2688-136-0x0000000004E70000-0x0000000004E7A000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2688-137-0x0000000005080000-0x0000000005090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2688-138-0x0000000005080000-0x0000000005090000-memory.dmp

    Filesize

    64KB

    Download

  • memory/2688-139-0x00000000067A0000-0x000000000683C000-memory.dmp

    Filesize

    624KB

    Download