Overview

overview

10

Static

static

3

e853e75042...b0.exe

windows7-x64

10

e853e75042...b0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2023 16:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e853e750421f951ae0a6bd231e0bd5b0.exe

  • Size

    1.0MB

  • MD5

    e853e750421f951ae0a6bd231e0bd5b0

  • SHA1

    0f7eb114f22705449e4069484aeb77e4fa88387f

  • SHA256

    ee7d4eabf89c595d1adfc55c618777216b987729e02381381c82ca50a890c3a2

  • SHA512

    53d0ecd97c862a6c920ee0113ed64f11121d611593da12caca53e933328e55b8c8315173410fa024989688124143bb75c55bfba15b0c68118e1773e677613028

  • SSDEEP

    12288:EvbSopg3ip6aBOjNP5/d3XSAHoRoDoyoNo0K2znyuSzr2VsJursi/UYPydyAJa:IdYA6ac15/d3n64Jac2ezPti/UYPE

Score
10/10
formbookpm7sratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

pm7s

Decoy

angrypeacocks.site

theindependentartlable.com

coachingforthewin.com

localbizsc.com

drive-a-supercar.com

mewsette.com

scinuh.com

gurugramaffordablehomes.com

riamedefarm.com

richfitzfashions.com

u9j1o.info

dife-rent.com

talesfromthequadrat.com

dandfmotors.com

springtexasdentist.com

gobakala.store

earlyeducationglobal.com

sdrxsb.site

dreamlifebiz.com

theurbancaveshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e853e750421f951ae0a6bd231e0bd5b0.exe
    "C:\Users\Admin\AppData\Local\Temp\e853e750421f951ae0a6bd231e0bd5b0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2540
    • C:\Users\Admin\AppData\Local\Temp\e853e750421f951ae0a6bd231e0bd5b0.exe
      "C:\Users\Admin\AppData\Local\Temp\e853e750421f951ae0a6bd231e0bd5b0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2620

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2540-1-0x0000000000C10000-0x0000000000D22000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/2540-0-0x0000000074BE0000-0x00000000752CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2540-2-0x0000000000640000-0x0000000000680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2540-3-0x0000000000310000-0x0000000000322000-memory.dmp
    Filesize

    72KB

    Download
  • memory/2540-4-0x0000000074BE0000-0x00000000752CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2540-5-0x0000000000640000-0x0000000000680000-memory.dmp
    Filesize

    256KB

    Download
  • memory/2540-6-0x0000000005A10000-0x0000000005A8C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/2540-7-0x0000000000610000-0x0000000000644000-memory.dmp
    Filesize

    208KB

    Download
  • memory/2540-13-0x0000000074BE0000-0x00000000752CE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2620-12-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2620-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2620-9-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2620-8-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2620-14-0x0000000000850000-0x0000000000B53000-memory.dmp
    Filesize

    3.0MB

    Download