Overview

overview

10

Static

static

3

d2f580c133...cc.exe

windows7-x64

1

d2f580c133...cc.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/07/2023, 05:04

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    d2f580c133802c6a3d4117117d5c16cc.exe

  • Size

    590KB

  • MD5

    d2f580c133802c6a3d4117117d5c16cc

  • SHA1

    eb014e24331bd1df38875d5c722e0db16dc8d5db

  • SHA256

    cfd843a4218fd91e46bf20068627e94bcc20cf68ec6a84ad4811d39b8c6c7ccd

  • SHA512

    4d8caad78cf422dc6c29db278c16076a7a8697e5f60c238cccc1ac7e5dbea6bf444b70baf227c3596ba7f7de89d2368d42ce1991dc9071b686affe0833f7c48c

  • SSDEEP

    12288:PPwJpDRWJ373SENQZ6DRRu1Lc6jRhjszcNrI5GPcn:Xw03bSWQEDDvGjBi5i

Score
10/10
formbook4hc5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

4hc5

Decoy

amandaastburyillustration.com

7141999.com

showshoe.info

sagemarlin.com

lithuaniandreamtime.com

therenixgroupllc.com

avalialooks.shop

vurporn.com

lemmy.systems

2816goldfinch.com

pacersun.com

checktrace.com

loadtransfer.site

matsuri-jujutsukaisen.com

iontrapper.science

5108010.com

beidixi.com

21305599.com

peakvitality.fitness

osisfeelingfee.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d2f580c133802c6a3d4117117d5c16cc.exe
    "C:\Users\Admin\AppData\Local\Temp\d2f580c133802c6a3d4117117d5c16cc.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3844
    • C:\Users\Admin\AppData\Local\Temp\d2f580c133802c6a3d4117117d5c16cc.exe
      "C:\Users\Admin\AppData\Local\Temp\d2f580c133802c6a3d4117117d5c16cc.exe"
      2⤵
        PID:4976
      • C:\Users\Admin\AppData\Local\Temp\d2f580c133802c6a3d4117117d5c16cc.exe
        "C:\Users\Admin\AppData\Local\Temp\d2f580c133802c6a3d4117117d5c16cc.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:1812

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1812-140-0x0000000000400000-0x000000000042F000-memory.dmp

            Filesize

            188KB

            Download

          • memory/1812-142-0x00000000010F0000-0x000000000143A000-memory.dmp

            Filesize

            3.3MB

            Download

          • memory/3844-133-0x0000000000EB0000-0x0000000000F4A000-memory.dmp

            Filesize

            616KB

            Download

          • memory/3844-134-0x0000000005E00000-0x00000000063A4000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/3844-135-0x0000000005900000-0x0000000005992000-memory.dmp

            Filesize

            584KB

            Download

          • memory/3844-136-0x0000000005AB0000-0x0000000005ABA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/3844-137-0x0000000005B90000-0x0000000005BA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3844-138-0x0000000005B90000-0x0000000005BA0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/3844-139-0x0000000009710000-0x00000000097AC000-memory.dmp

            Filesize

            624KB

            Download