Overview

overview

10

Static

static

5

Purchase O...44.exe

windows7-x64

10

Purchase O...44.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    29-04-2024 10:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exe

  • Size

    1.0MB

  • MD5

    0de4eb1758f5ef209ed50d5728cbb729

  • SHA1

    dc50323b58a5f7a71f9c51c135e09f522aba1d26

  • SHA256

    f6723f25605e46b8bdd2a8a875ee319c40108491934b2f8fbcdd58d649cbc651

  • SHA512

    616bac0fdbf0ae628b8c6fb1cc2608a966703dce4005ea0812b9e7102e7db2e064c2e5512b725a10b052bf0f41d91888b9dcac7d63da22e6d844488dba366286

  • SSDEEP

    24576:FAHnh+eWsN3skA4RV1Hom2KXMmHakjr3rmhkjknnL5:0h+ZkldoPK8YakvqhkjkN

Score
10/10
formbookse63ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

se63

Decoy

socratesandhisclouds.com

versioncolor.com

ytcp011.com

908511.vip

egysrvs.com

ky5682011.cc

kkuu14.icu

wavebsb.com

klikadelivery.com

jnbxbpq.com

5o8oh.us

hemule.net

techinf.xyz

bevage.club

we37h.com

tipsde.shop

48136.vip

bestcampertrailerbrands.com

fairmedics.in

quixonic.tech

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exe
    "C:\Users\Admin\AppData\Local\Temp\Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2088
    • C:\Windows\SysWOW64\svchost.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order For Consumables Eltra 888363725_9645364782_1197653623_836652746_22994644.exe"
      2⤵
        PID:2512

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2088-10-0x00000000006A0000-0x00000000006A4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/2512-11-0x0000000000400000-0x000000000042F000-memory.dmp

      Filesize

      188KB

      Download