Overview

overview

10

Static

static

5

206f17d8a6...9d.exe

windows7-x64

10

206f17d8a6...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-06-2024 12:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    206f17d8a641d884bba4bf29413d8c11ececdc220a22777455b23f1cad77dd9d.exe

  • Size

    1.1MB

  • MD5

    d345b1de15380a01c02ae2ba9c941a42

  • SHA1

    77390e269cee60467364dedcdc4b5156e634d6a8

  • SHA256

    206f17d8a641d884bba4bf29413d8c11ececdc220a22777455b23f1cad77dd9d

  • SHA512

    4bbb55cd1666dfe1bc13dd315efda50dc3d475fdd942f90834c6c7a61a089cf2d3f39997f249ede6593acc49c4ab1102e555eebec093ab38a95c7b09569fd6f2

  • SSDEEP

    24576:zAHnh+eWsN3skA4RV1Hom2KXMmHaungmQu7/d+gIM5:+h+ZkldoPK8Yaun3/d/f

Score
10/10
formbookss63ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ss63

Decoy

catpig.xyz

chatladyanzensei7.site

onewayonepaydroptaxi.com

bima188.lol

wealth-km.online

seepao27200.top

6c958u9.lol

fbyu57ytsd.shop

baranetentegre.com

webaichimie.com

h3k38q2.lol

abicomsrl.com

338kp.vip

rescuecube.com

bubatz-t.com

psgluxuryapartments.com

goodfellowlawfirm.com

bais141.com

imingchu.com

ekzeanjfolzaks.top

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Users\Admin\AppData\Local\Temp\206f17d8a641d884bba4bf29413d8c11ececdc220a22777455b23f1cad77dd9d.exe
      "C:\Users\Admin\AppData\Local\Temp\206f17d8a641d884bba4bf29413d8c11ececdc220a22777455b23f1cad77dd9d.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1508
      • C:\Windows\SysWOW64\svchost.exe
        "C:\Users\Admin\AppData\Local\Temp\206f17d8a641d884bba4bf29413d8c11ececdc220a22777455b23f1cad77dd9d.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:4420
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:4588
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\SysWOW64\svchost.exe"
          3⤵
            PID:780

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1508-10-0x0000000000E20000-0x0000000000E24000-memory.dmp
        Filesize

        16KB

        Download
      • memory/1996-17-0x0000000000CE0000-0x0000000000D07000-memory.dmp
        Filesize

        156KB

        Download
      • memory/1996-19-0x0000000000800000-0x000000000082F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1996-18-0x0000000000CE0000-0x0000000000D07000-memory.dmp
        Filesize

        156KB

        Download
      • memory/3484-21-0x0000000008510000-0x000000000864E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3484-16-0x0000000008510000-0x000000000864E000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3484-24-0x000000000AB20000-0x000000000AC8A000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3484-25-0x000000000AB20000-0x000000000AC8A000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/3484-28-0x000000000AB20000-0x000000000AC8A000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/4420-14-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/4420-15-0x0000000001F00000-0x0000000001F15000-memory.dmp
        Filesize

        84KB

        Download
      • memory/4420-12-0x0000000001A00000-0x0000000001D4A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/4420-11-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download