Overview

overview

10

Static

static

3

380c21fd37...e0.exe

windows7-x64

10

380c21fd37...e0.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    16s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    28-05-2024 10:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0.exe

  • Size

    594KB

  • MD5

    34b8885c737fa78ecc68c1bf0628f8c0

  • SHA1

    32936d1bce243a085c81147f1d569a1c20c44bb2

  • SHA256

    380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0

  • SHA512

    ed336237c0f5c038a1ffd2646b38c1d4cd6f4133e2be0f645f25a9e0b844c3f8f69aa6bcde18a072cc57da434006914ded57e2779084e0244dbbf44a3f193196

  • SSDEEP

    12288:zQ3yvK/bBMqQOa/71j+zmxnHJaA8YPGTU+aJczbxLedJJ4iav2hcll0WEm:+yqBMqQOiLnoYeyqzbxuv4im2hcT0fm

Score
10/10
formbookcr12ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

cr12

Decoy

nff1291.com

satyainfra.com

hechiceradeamores.com

jfgminimalist.com

qut68q.com

pedandmore.com

sugardefender24-usa.us

somalse.com

lotusluxecandle.com

certificadobassetpro.com

veryaroma.com

thehistoryofindia.in

33155.cc

terastudy.net

84031.vip

heilsambegegnen.com

horizon-rg.info

junongpei.website

winstons.club

henslotalt.us

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0.exe
    "C:\Users\Admin\AppData\Local\Temp\380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:2012
    • C:\Users\Admin\AppData\Local\Temp\380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0.exe
      "C:\Users\Admin\AppData\Local\Temp\380c21fd37cafa3619196df7b6337783921656dbf58f1f54b63c74ad411421e0.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:3032

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/2012-6-0x0000000005680000-0x00000000056F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/2012-1-0x0000000000D80000-0x0000000000E1A000-memory.dmp
    Filesize

    616KB

    Download
  • memory/2012-2-0x0000000074CD0000-0x00000000753BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/2012-3-0x00000000002A0000-0x00000000002B6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2012-4-0x00000000004A0000-0x00000000004AC000-memory.dmp
    Filesize

    48KB

    Download
  • memory/2012-5-0x00000000004B0000-0x00000000004C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/2012-0-0x0000000074CDE000-0x0000000074CDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2012-13-0x0000000074CD0000-0x00000000753BE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/3032-7-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3032-9-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3032-8-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3032-12-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/3032-14-0x0000000000E20000-0x0000000001123000-memory.dmp
    Filesize

    3.0MB

    Download