Overview

overview

10

Static

static

flWhrV1J6MAi1kS.exe

windows7_x64

10

flWhrV1J6MAi1kS.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    09-11-2020 20:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    flWhrV1J6MAi1kS.exe

  • Size

    345KB

  • MD5

    61a281d6005afdcb7b9f25b16e71bff3

  • SHA1

    a380e614531478c3adf122e78568308e8a46f5c5

  • SHA256

    9148c87726f97b18e044b9059a608a3b809ae02a795d44c1609bff24232c45ac

  • SHA512

    bc174c366bfefc2acabdaa9b7548a726db82ff408cc145d85d5d7b0400e129d6688aa07928e0dd0a0bdcb9e0598ce86f48c77f7fc2607bdbe440014463eb0f9f

Score
10/10
formbookpersistenceratrezer0spywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.spatren.com/k0f/

Decoy

uao2o.info

hehe2.net

beautyqueenstores.com

chataan.com

brazzers-shop.biz

evolutionareligion.com

laysusannausboko.com

idewweddings.com

superwebox.com

moviesfan.net

deal-mix.com

infrarotgrilltest.info

corelesseposrolls.com

mpbrandl-finetrade-gamma.com

statement-log-in.info

romita4harrison.com

cpateamconsultant.com

gxdiaoyu.com

motocenterlaba.com

mlrs1314.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • rezer0 1 IoCs

    Detects ReZer0, a packer with multiple versions used in various campaigns.

    rezer0
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spyware
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe
      "C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4800
      • C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3408
    • C:\Windows\SysWOW64\systray.exe
      "C:\Windows\SysWOW64\systray.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:580
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\flWhrV1J6MAi1kS.exe"
        3⤵
          PID:844
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:1184

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      2
      T1112

      Credential Access

      Credentials in Files

      1
      T1081

      Discovery

      Lateral Movement

      Collection

      Data from Local System

      1
      T1005

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logim.jpeg
        MD5

        5eb85fc03e1eba1fdc2262321ff2e43c

        SHA1

        c6a84314c9ffbaed143f569c444b8a9b3c04f5a2

        SHA256

        496d47789638cb04422cc0ea52b6f5e6e3c76393031f9a6d5cb24241305acd27

        SHA512

        4fe0ce889914c81701b3e04e011c9e4763c08a392e08268472b9d889a09b90688fae5464b0f3c1e152c56715286fd86356275d40f37b22e6afbd05246c6dad3c

        Download Submit
      • C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logrf.ini
        MD5

        2f245469795b865bdd1b956c23d7893d

        SHA1

        6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

        SHA256

        1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

        SHA512

        909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

        Download Submit
      • C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logri.ini
        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit
      • C:\Users\Admin\AppData\Roaming\8Q760--R\8Q7logrv.ini
        MD5

        bbc41c78bae6c71e63cb544a6a284d94

        SHA1

        33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a

        SHA256

        ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb

        SHA512

        0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

        Download Submit
      • memory/580-11-0x0000000000390000-0x0000000000396000-memory.dmp
        Filesize

        24KB

        Download
      • memory/580-15-0x00000000061C0000-0x00000000062DD000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/580-14-0x0000000005570000-0x00000000056D2000-memory.dmp
        Filesize

        1.4MB

        Download
      • memory/580-12-0x0000000000390000-0x0000000000396000-memory.dmp
        Filesize

        24KB

        Download
      • memory/580-10-0x0000000000000000-mapping.dmp
        Download
      • memory/844-13-0x0000000000000000-mapping.dmp
        Download
      • memory/1184-17-0x00007FF6642D0000-0x00007FF664363000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1184-16-0x0000000000000000-mapping.dmp
        Download
      • memory/1184-18-0x00007FF6642D0000-0x00007FF664363000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1184-19-0x00007FF6642D0000-0x00007FF664363000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3408-9-0x000000000041E320-mapping.dmp
        Download
      • memory/3408-8-0x0000000000400000-0x000000000042D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/4800-7-0x0000000005CB0000-0x0000000005CB1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-6-0x0000000005760000-0x0000000005794000-memory.dmp
        Filesize

        208KB

        Download
      • memory/4800-0-0x00000000739D0000-0x00000000740BE000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4800-5-0x00000000054E0000-0x00000000054E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-4-0x0000000001140000-0x000000000114F000-memory.dmp
        Filesize

        60KB

        Download
      • memory/4800-3-0x0000000005110000-0x0000000005111000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4800-1-0x00000000008D0000-0x00000000008D1000-memory.dmp
        Filesize

        4KB

        Download