Analysis

  • max time kernel
    142s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2023, 17:43

General

  • Target

    NEAS.a00ea565f9db4d7b4eeef36c77c6635a84ef610ad73890a2b0bd9852ff6d73f7exe_JC.exe

  • Size

    636KB

  • MD5

    00fd4d2c65c750f7b8c1d3c01ca1971d

  • SHA1

    9948ab44fcf59db07b020c54af3f957c9d4a4cd6

  • SHA256

    a00ea565f9db4d7b4eeef36c77c6635a84ef610ad73890a2b0bd9852ff6d73f7

  • SHA512

    72e8f912ab8324057bfbcdc875eaff34d9f1dedd27d2e7d84f12d904f9a195f689bc14c6f8e50c846fbd10e69d1da4b9fa322d5618fc6f9d90c372c7b77055db

  • SSDEEP

    12288:IjTB7s9DwY5hq+BqBkUkdVz4BygljeHaDKvjx/TzwXGKimdXv:KB7s9DdhvqRkXENNDKvjx/TzwXfii

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

k0p2

Decoy

theluxurytraveljournal.com

skybet10.com

mountruqal.online

onlyones.xyz

kloea.top

studio7crochet.online

dhv9gmy.top

walkereld.com

script-shore.com

bwerger02.xyz

clempi.xyz

lishapanchal.com

imagemaza.com

ludu65.com

zenith-leadership.com

undertheradar.zone

802cm.top

budeny.com

piabellacasino338.com

eclipse-demolition.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.a00ea565f9db4d7b4eeef36c77c6635a84ef610ad73890a2b0bd9852ff6d73f7exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.a00ea565f9db4d7b4eeef36c77c6635a84ef610ad73890a2b0bd9852ff6d73f7exe_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2276
    • C:\Users\Admin\AppData\Local\Temp\NEAS.a00ea565f9db4d7b4eeef36c77c6635a84ef610ad73890a2b0bd9852ff6d73f7exe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.a00ea565f9db4d7b4eeef36c77c6635a84ef610ad73890a2b0bd9852ff6d73f7exe_JC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:4984

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2276-6-0x00000000058A0000-0x00000000058B8000-memory.dmp

          Filesize

          96KB

        • memory/2276-10-0x0000000007E30000-0x0000000007E9E000-memory.dmp

          Filesize

          440KB

        • memory/2276-2-0x0000000005960000-0x0000000005F04000-memory.dmp

          Filesize

          5.6MB

        • memory/2276-3-0x00000000053B0000-0x0000000005442000-memory.dmp

          Filesize

          584KB

        • memory/2276-4-0x00000000055B0000-0x00000000055C0000-memory.dmp

          Filesize

          64KB

        • memory/2276-5-0x0000000005380000-0x000000000538A000-memory.dmp

          Filesize

          40KB

        • memory/2276-1-0x00000000008F0000-0x0000000000994000-memory.dmp

          Filesize

          656KB

        • memory/2276-8-0x00000000055B0000-0x00000000055C0000-memory.dmp

          Filesize

          64KB

        • memory/2276-0-0x00000000748C0000-0x0000000075070000-memory.dmp

          Filesize

          7.7MB

        • memory/2276-9-0x0000000005780000-0x0000000005790000-memory.dmp

          Filesize

          64KB

        • memory/2276-7-0x00000000748C0000-0x0000000075070000-memory.dmp

          Filesize

          7.7MB

        • memory/2276-11-0x000000000A570000-0x000000000A60C000-memory.dmp

          Filesize

          624KB

        • memory/2276-14-0x00000000748C0000-0x0000000075070000-memory.dmp

          Filesize

          7.7MB

        • memory/4984-12-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/4984-15-0x0000000000E60000-0x00000000011AA000-memory.dmp

          Filesize

          3.3MB