Analysis

  • max time kernel
    121s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20230831-en
  • resource tags

    arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
  • submitted
    02-09-2023 01:07

General

  • Target

    d4b306e65c16a66f2c0851d70709f117d2a93596fa9ad5905f99c99ea25aba10.exe

  • Size

    955KB

  • MD5

    15e76febd9a13cf44e211849c051a68c

  • SHA1

    6d3b2d2b00e210d706e6f5746cae5e8cafae777b

  • SHA256

    d4b306e65c16a66f2c0851d70709f117d2a93596fa9ad5905f99c99ea25aba10

  • SHA512

    74be8b1f75065eb7991ca07c559f6a14354c65ce20ddbce6127253c4b73ce29b6ecfa786fc67d095b6bbc9939446c54c684811fde4116a318835eaa32e5a4105

  • SSDEEP

    24576:reunQk8WUgZxqyp/0knO+e8KnCqTsQlSC:nUexqahnXe8KnZTsQlS

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

v93r

Decoy

labourcommunitymarket.com

nba82.com

datahabitsales.site

rosstony.link

baliorganic.farm

qefhyjngrxcbjfvgft.autos

bippttcg.click

tldrschool.com

vcdaawug.click

garage2mats.com

soulrin.store

themezodermacream.com

522fairwaylookout.com

jmhoa.cyou

sygcb.link

thanhpresident.com

biy-home.com

imtmlife.online

dijitalpasaj.app

105261.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\d4b306e65c16a66f2c0851d70709f117d2a93596fa9ad5905f99c99ea25aba10.exe
    "C:\Users\Admin\AppData\Local\Temp\d4b306e65c16a66f2c0851d70709f117d2a93596fa9ad5905f99c99ea25aba10.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2080
    • C:\Users\Admin\AppData\Local\Temp\d4b306e65c16a66f2c0851d70709f117d2a93596fa9ad5905f99c99ea25aba10.exe
      "C:\Users\Admin\AppData\Local\Temp\d4b306e65c16a66f2c0851d70709f117d2a93596fa9ad5905f99c99ea25aba10.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2668

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2080-6-0x0000000000370000-0x000000000037E000-memory.dmp

    Filesize

    56KB

  • memory/2080-0-0x0000000000950000-0x0000000000A46000-memory.dmp

    Filesize

    984KB

  • memory/2080-2-0x0000000007440000-0x0000000007480000-memory.dmp

    Filesize

    256KB

  • memory/2080-3-0x0000000000310000-0x0000000000324000-memory.dmp

    Filesize

    80KB

  • memory/2080-4-0x0000000074A20000-0x000000007510E000-memory.dmp

    Filesize

    6.9MB

  • memory/2080-5-0x0000000007440000-0x0000000007480000-memory.dmp

    Filesize

    256KB

  • memory/2080-1-0x0000000074A20000-0x000000007510E000-memory.dmp

    Filesize

    6.9MB

  • memory/2080-7-0x0000000007380000-0x00000000073EE000-memory.dmp

    Filesize

    440KB

  • memory/2080-13-0x0000000074A20000-0x000000007510E000-memory.dmp

    Filesize

    6.9MB

  • memory/2668-9-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2668-8-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2668-12-0x0000000000400000-0x000000000042F000-memory.dmp

    Filesize

    188KB

  • memory/2668-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/2668-14-0x0000000000A50000-0x0000000000D53000-memory.dmp

    Filesize

    3.0MB