Analysis
-
max time kernel
119s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
09-05-2024 01:08
Static task
static1
Behavioral task
behavioral1
Sample
21d7877338874475e35745d384f8b055.exe
Resource
win7-20240419-en
General
-
Target
21d7877338874475e35745d384f8b055.exe
-
Size
436KB
-
MD5
21d7877338874475e35745d384f8b055
-
SHA1
958c14397b51c2dbbe7661c7896d8f084bcba331
-
SHA256
b3c0e790921677e61c5f37252ed0702fe1bed4e37e1aeabe1aa83864aebd8b95
-
SHA512
b53977bc81dedb7c55e26754704035723a4e901cba3706b9f7487076cf623daecdfe6396b99bcc14ea50b000180820c20b8a0530188bd3f2f67fca2d73779ed6
-
SSDEEP
3072:0DeS7cfO2q/eS+U2gPG9e1WChPlQkqC3NXpVRK/2ufG0cJ7yr3vpgi8yBWX4BEVO:Sek2QeS2pqWCbZpVwmyrhg7doB8Ob
Malware Config
Extracted
formbook
3.8
wo
zphang.com
limeiqi.net
louismail.net
allanchappelear.com
js-premium.com
cottonjam.com
misagigoldmining.com
cloudypro.site
qiangwuditan.net
1610k.com
0451tarena.com
hihihing.com
jameshale.net
062bifa.com
jiaopo95.com
bulliesintheboardroom.com
consultantsofcolornetwork.com
xshadyside.net
feriasemfoz.com
activationsetupnow.online
livingwithoutstuff.com
eligutierrez.com
serviciosgeneraleseyj.com
zacerickson.net
policesave.com
partner-ban.com
toy4sex.com
hezixiansheng.com
licensedtolearn.com
hsmy168.com
f81111.com
ztmqp.info
diabeticlifemanagement.com
unetten.tech
xnccgckyy.com
swarmedhealth.com
ordlpu.men
mollysmorsel.com
zengis.com
foxforms.cloud
donkeyskateboards.com
villaitaly.life
1ztcfaxf9a.biz
0n3tenother.men
cs-case.com
aowui.com
wwpbc.com
91yangge.com
shangshu99.com
gleamingss.com
pontualferroeaco.com
holosvision.network
sangbadprotidin.net
crmeb.net
retosamay.com
whereirefi.com
entre-confreres.com
adaptiv.software
lacontra.net
khxms.info
xzdfth.com
bauxitedesign.com
cryrtonfly.com
circe.tech
crakom.com
Signatures
-
Formbook payload 2 IoCs
Processes:
resource yara_rule behavioral1/memory/1700-4-0x0000000000400000-0x000000000042A000-memory.dmp formbook behavioral1/memory/1700-10-0x000000000AFB0000-0x000000000B2B3000-memory.dmp formbook -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
21d7877338874475e35745d384f8b055.exepid process 1700 21d7877338874475e35745d384f8b055.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
21d7877338874475e35745d384f8b055.exepid process 1700 21d7877338874475e35745d384f8b055.exe 1700 21d7877338874475e35745d384f8b055.exe -
Suspicious use of SendNotifyMessage 2 IoCs
Processes:
21d7877338874475e35745d384f8b055.exepid process 1700 21d7877338874475e35745d384f8b055.exe 1700 21d7877338874475e35745d384f8b055.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
21d7877338874475e35745d384f8b055.exepid process 1700 21d7877338874475e35745d384f8b055.exe -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
21d7877338874475e35745d384f8b055.exepid process 1700 21d7877338874475e35745d384f8b055.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\21d7877338874475e35745d384f8b055.exe"C:\Users\Admin\AppData\Local\Temp\21d7877338874475e35745d384f8b055.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
PID:1700