Overview

overview

10

Static

static

3

9a565700a3...84.exe

windows7-x64

10

9a565700a3...84.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    156s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-03-2024 01:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe

  • Size

    590KB

  • MD5

    2f9e1385a9c419ad70bb121e4250ae0a

  • SHA1

    ee2018b7427e3eccd78683018864043a72d841a9

  • SHA256

    9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784

  • SHA512

    9c7a9d86a29729b1189a027e11c40175928c2c76355678ebaa06a08b42a8b0d6c0e6ba6237d61aa81a8a80e8b9d52b22c877f45dd74a233c720fee10e6419917

  • SSDEEP

    12288:IS4CMwNNFJyvdgH7RPTwerlTuzRjynjSGqaJt2m8:IMFggH7RbweRTuzJsjSGqaJsm8

Score
10/10
formbooko22dratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

o22d

Decoy

stillsfengservices.com

protectagainstcrime.com

winiboya.com

mindbeforemusic.com

giyelz1i5.sbs

coin8899.com

coolgirls.club

ssdcf1416aasx.world

heir.solutions

soulmatchup.xyz

ingenetpy.com

knkvdqt5g.sbs

vireoremedy.com

leopolis.rent

apartment-for-rent-314.space

theenlightenedmotherhood.com

zidao.cloud

oi7982jbacdbfssagroup.monster

anandasnacks.com

start.beer

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe
    "C:\Users\Admin\AppData\Local\Temp\9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:496
    • C:\Users\Admin\AppData\Local\Temp\9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe
      "C:\Users\Admin\AppData\Local\Temp\9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe"
      2⤵
        PID:400
      • C:\Users\Admin\AppData\Local\Temp\9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe
        "C:\Users\Admin\AppData\Local\Temp\9a565700a3d3c7a802780c0e4ba717b082175fd33b5afc7dcfeb95905b6db784.exe"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2784
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2260,i,11662483365823245381,11064702639240765741,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:232

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/496-6-0x0000000005720000-0x0000000005732000-memory.dmp
        Filesize

        72KB

        Download
      • memory/496-1-0x0000000000B10000-0x0000000000BAA000-memory.dmp
        Filesize

        616KB

        Download
      • memory/496-2-0x0000000005C40000-0x00000000061E4000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/496-3-0x0000000005580000-0x0000000005612000-memory.dmp
        Filesize

        584KB

        Download
      • memory/496-4-0x0000000005750000-0x0000000005760000-memory.dmp
        Filesize

        64KB

        Download
      • memory/496-5-0x0000000005640000-0x000000000564A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/496-0-0x0000000074E80000-0x0000000075630000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/496-7-0x0000000005740000-0x000000000574C000-memory.dmp
        Filesize

        48KB

        Download
      • memory/496-8-0x0000000006AA0000-0x0000000006B16000-memory.dmp
        Filesize

        472KB

        Download
      • memory/496-9-0x0000000009520000-0x00000000095BC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/496-12-0x0000000074E80000-0x0000000075630000-memory.dmp
        Filesize

        7.7MB

        Download
      • memory/2784-10-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2784-13-0x0000000000E70000-0x00000000011BA000-memory.dmp
        Filesize

        3.3MB

        Download