Overview

overview

10

Static

static

3

110142e8d1...32.exe

windows7-x64

10

110142e8d1...32.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    93s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/12/2023, 11:10

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    110142e8d152faac7f40309a52d71532.exe

  • Size

    739KB

  • MD5

    110142e8d152faac7f40309a52d71532

  • SHA1

    b3fd224110c7458238342dee5db36173bc46ee95

  • SHA256

    051cd19f3c86a89752298ea78c9c776a355370e3e8da1d69585d0c8afb65142f

  • SHA512

    f553f58bc8651ecdbd1d3c79335c3f0c4f8c27f583ff91545f54bd4c0ff9956fba952aed0c02fee2c19b5eaa7d9bc8a7897c2db7aaae3b0f895eaa921d87c50d

  • SSDEEP

    12288:h6T33fmgQJKcmDl5dZnMCDznwmsIVtCGQEu:h6T+3mDl

Score
10/10
formbookgt4lratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gt4l

Decoy

livewithangelavaladez.xyz

pdla1oorf7.com

edroi.com

prysodt.xyz

yacht-chi7-sanlorenzo.com

worenocy.com

sprayfoamsave.com

felipelourenco.online

thisnthatpaithailand.com

troyl.ink

apptohealth.com

colectivasolar.net

gljsbq.com

futsunoossan.com

fairmountuniversity.com

schaff-smart-solutions.gmbh

releasingpro.com

katiescarlettartist.com

netskopesecurity.com

erfdj.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\110142e8d152faac7f40309a52d71532.exe
    "C:\Users\Admin\AppData\Local\Temp\110142e8d152faac7f40309a52d71532.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3480
    • C:\Users\Admin\AppData\Local\Temp\110142e8d152faac7f40309a52d71532.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3800

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/3480-0-0x00000000746D0000-0x0000000074C81000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3480-1-0x00000000746D0000-0x0000000074C81000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3480-2-0x0000000001460000-0x0000000001470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3480-3-0x00000000746D0000-0x0000000074C81000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3480-4-0x0000000001460000-0x0000000001470000-memory.dmp

          Filesize

          64KB

          Download

        • memory/3480-7-0x00000000746D0000-0x0000000074C81000-memory.dmp

          Filesize

          5.7MB

          Download

        • memory/3800-5-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/3800-8-0x00000000012A0000-0x00000000015EA000-memory.dmp

          Filesize

          3.3MB

          Download

        • memory/3800-9-0x00000000012A0000-0x00000000015EA000-memory.dmp

          Filesize

          3.3MB

          Download