Analysis

  • max time kernel
    92s
  • max time network
    159s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231020-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23/10/2023, 19:38

General

  • Target

    NEAS.fd8ec7e66dab730de6d7a96168974b95f2e9ba43c0c05b5fac55b3abc8a52d73exe_JC.exe

  • Size

    635KB

  • MD5

    338813a058a8a13c04afe5a9b7db531b

  • SHA1

    5854ef67aad79a7d9cbe7111d334dd062ca6e09c

  • SHA256

    fd8ec7e66dab730de6d7a96168974b95f2e9ba43c0c05b5fac55b3abc8a52d73

  • SHA512

    aedca8aed3ae987138dfd7e77cdda73ee8203bfd8d93490ca411c4b1c66d6cb4b9e73e51e6d96cb458e386dfff9c8c4221c180421341d2ad7b280429fd1c586d

  • SSDEEP

    12288:AT7s92gnd0vY0nnmc2G0oxZTYAx8Te2F5LBRXa8lv1JcTcwn:AT7s99dEY0/0oxZUT3Ha8dLcQg

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ls02

Decoy

vocabularybot.com

invisalignsmilesolutions.xyz

sleepdisorderinsomnia.com

bern.beauty

ahazmcdris.top

21874960sie8ca1.store

yeitced.xyz

biggerpictureventures.com

alduhagroup.com

itsolutions.biz

0oq6y.com

wildpolis.com

mariobet469.com

brynnwpods.com

tastywin.com

cou2m1.com

newaitrucks.com

puremeans.studio

mitienda-la.com

jujuresorthotel.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook payload 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\NEAS.fd8ec7e66dab730de6d7a96168974b95f2e9ba43c0c05b5fac55b3abc8a52d73exe_JC.exe
    "C:\Users\Admin\AppData\Local\Temp\NEAS.fd8ec7e66dab730de6d7a96168974b95f2e9ba43c0c05b5fac55b3abc8a52d73exe_JC.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2256
    • C:\Users\Admin\AppData\Local\Temp\NEAS.fd8ec7e66dab730de6d7a96168974b95f2e9ba43c0c05b5fac55b3abc8a52d73exe_JC.exe
      "C:\Users\Admin\AppData\Local\Temp\NEAS.fd8ec7e66dab730de6d7a96168974b95f2e9ba43c0c05b5fac55b3abc8a52d73exe_JC.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3356

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2256-6-0x0000000005660000-0x0000000005678000-memory.dmp

          Filesize

          96KB

        • memory/2256-10-0x0000000007BE0000-0x0000000007C4E000-memory.dmp

          Filesize

          440KB

        • memory/2256-2-0x0000000005680000-0x0000000005C24000-memory.dmp

          Filesize

          5.6MB

        • memory/2256-3-0x0000000005170000-0x0000000005202000-memory.dmp

          Filesize

          584KB

        • memory/2256-4-0x00000000050D0000-0x00000000050E0000-memory.dmp

          Filesize

          64KB

        • memory/2256-5-0x0000000005300000-0x000000000530A000-memory.dmp

          Filesize

          40KB

        • memory/2256-1-0x0000000074AA0000-0x0000000075250000-memory.dmp

          Filesize

          7.7MB

        • memory/2256-8-0x00000000050D0000-0x00000000050E0000-memory.dmp

          Filesize

          64KB

        • memory/2256-0-0x00000000006C0000-0x0000000000764000-memory.dmp

          Filesize

          656KB

        • memory/2256-9-0x00000000065B0000-0x00000000065C0000-memory.dmp

          Filesize

          64KB

        • memory/2256-7-0x0000000074AA0000-0x0000000075250000-memory.dmp

          Filesize

          7.7MB

        • memory/2256-11-0x000000000A320000-0x000000000A3BC000-memory.dmp

          Filesize

          624KB

        • memory/2256-14-0x0000000074AA0000-0x0000000075250000-memory.dmp

          Filesize

          7.7MB

        • memory/3356-12-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

        • memory/3356-15-0x00000000010C0000-0x000000000140A000-memory.dmp

          Filesize

          3.3MB