Overview

overview

10

Static

static

10

bin-crypted.exe

windows10-2004-x64

10

bin-crypted.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250410-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/04/2025, 14:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    bin-crypted.exe

  • Size

    349KB

  • MD5

    8d9ce3796ab75494d8506e1317ad0edf

  • SHA1

    601541fd266a7894d9f40b923a312ea5fe1bbeec

  • SHA256

    20e06558da9221d09648c2a64bd93b8bfa9d7d67ab9bc0c16d7d4035f1b8b454

  • SHA512

    2fadd09017c7e2536e174a78b21d14ab901e203dcc9f5a0db0c164e3f364e51c431b5238749d56bcbee6ad12c644cd4fb29d08fefdf89d829f71e94a2df8c3a0

  • SSDEEP

    3072:WQnciRMiqBIBub5iaeijvOwQF/MhZeqnOe103huHXJ+9ihSSHYgIPQjy1xYq:eBIMbo4iF/MXe2103hu09ihSU0wG

Score
10/10
formbookjc27discoveryratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

jc27

Decoy

uymygel.xyz

aregiver-services-test01.sbs

ouyin67gh.vip

lobalz.top

cl1ic4.pro

mconotc.top

hmm365.cfd

olonam.shop

ionnel.shop

ntroductorypage.info

einopumpify.net

hsnac.xyz

rameny.net

itness-apps1-s2025.sbs

nshulthakurdev.pro

iveawaywin.online

setobe.info

ostury.shop

5r03a.sbs

yota-blog.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook family
    formbook
  • Suspicious use of SetThreadContext 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3528
    • C:\Users\Admin\AppData\Local\Temp\bin-crypted.exe
      "C:\Users\Admin\AppData\Local\Temp\bin-crypted.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:464
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3100
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\bin-crypted.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:5236

Network

MITRE ATT&CK Enterprise v16

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/464-0-0x00000000017C0000-0x0000000001B0A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/464-2-0x00000000000F0000-0x0000000000148000-memory.dmp

    Filesize

    352KB

    Download

  • memory/464-1-0x000000000010F000-0x0000000000110000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3100-11-0x0000000000C20000-0x0000000000C4F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3100-4-0x00000000005E0000-0x00000000005F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3100-6-0x00000000005E0000-0x00000000005F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3100-8-0x00000000005E0000-0x00000000005F2000-memory.dmp

    Filesize

    72KB

    Download

  • memory/3100-9-0x0000000000C20000-0x0000000000C4F000-memory.dmp

    Filesize

    188KB

    Download

  • memory/3100-10-0x0000000002B30000-0x0000000002E7A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/3100-14-0x0000000002970000-0x0000000002A04000-memory.dmp

    Filesize

    592KB

    Download

  • memory/3528-3-0x00000000084B0000-0x0000000008588000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3528-12-0x00000000084B0000-0x0000000008588000-memory.dmp

    Filesize

    864KB

    Download

  • memory/3528-15-0x0000000008950000-0x0000000008ACF000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3528-16-0x0000000008950000-0x0000000008ACF000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/3528-18-0x0000000008950000-0x0000000008ACF000-memory.dmp

    Filesize

    1.5MB

    Download