Overview

overview

10

Static

static

3

0fc00f6f8f...5b.exe

windows7-x64

10

0fc00f6f8f...5b.exe

windows10-2004-x64

1

Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20231129-en
  • resource tags

    arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
  • submitted
    24/12/2023, 20:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0fc00f6f8fd4eb2e078c6db9aa69915b.exe

  • Size

    1.3MB

  • MD5

    0fc00f6f8fd4eb2e078c6db9aa69915b

  • SHA1

    c5f225eed0bc9ed08a227884db7f4726111eb9ed

  • SHA256

    f00a48ff21da7ef698e1348539b764a78aeec2b5a49cbdd7f6efa5caf0f8a309

  • SHA512

    9710415a1f68dceb205443c3374333c4fbd560db76f894010921785ed4242a1864201c63137f8923d547fac3e847cb4e9a66da085209065d1f81f84053a61ed8

  • SSDEEP

    24576:OqxS/d3pYdkEE/vpv+zBFFhbhBppf0yC2mwRGPoN7vdiTbnFM:DdSvp0pBpZ0yHm/PoiM

Score
10/10
formbook4kxratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

4kx

Decoy

eufood.info

theprotestmatters.com

khauchakhajina.com

008usa-xxf.com

backriverroadsportsplex.com

shopalndrinks.com

necght.xyz

summaryborrow.info

mys518.com

shopapemodeapparel.com

christineroseartiste.com

rsw2226.com

ashes-of-creation.com

shamilalyadin.com

learning-synergy.com

sendstats.net

waverdemo.tech

dubestol.com

bolterbunny.com

beerciderrebattes.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Formbook payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0fc00f6f8fd4eb2e078c6db9aa69915b.exe
    "C:\Users\Admin\AppData\Local\Temp\0fc00f6f8fd4eb2e078c6db9aa69915b.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2912
    • C:\Users\Admin\AppData\Local\Temp\0fc00f6f8fd4eb2e078c6db9aa69915b.exe
      "C:\Users\Admin\AppData\Local\Temp\0fc00f6f8fd4eb2e078c6db9aa69915b.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2484

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2484-10-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2484-16-0x0000000000401000-0x000000000042E000-memory.dmp

    Filesize

    180KB

    Download

  • memory/2484-18-0x0000000000AB0000-0x0000000000DB3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2484-8-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2484-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2484-14-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/2484-17-0x0000000000AB0000-0x0000000000DB3000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2912-4-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2912-15-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2912-1-0x0000000074550000-0x0000000074C3E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2912-5-0x0000000004DE0000-0x0000000004E20000-memory.dmp

    Filesize

    256KB

    Download

  • memory/2912-6-0x0000000005910000-0x00000000059B4000-memory.dmp

    Filesize

    656KB

    Download

  • memory/2912-0-0x0000000000950000-0x0000000000AAA000-memory.dmp

    Filesize

    1.4MB

    Download

  • memory/2912-3-0x00000000003C0000-0x00000000003D2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2912-7-0x00000000005C0000-0x00000000005F4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/2912-2-0x0000000004DE0000-0x0000000004E20000-memory.dmp

    Filesize

    256KB

    Download