Overview

overview

10

Static

static

PO# 4415902670.exe

windows7_x64

10

PO# 4415902670.exe

windows10_x64

10

Analysis

  • max time kernel
    42s
  • max time network
    121s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-11-2020 06:45

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO# 4415902670.exe

  • Size

    542KB

  • MD5

    058e6f06a51e22bbc975eecf35c34844

  • SHA1

    638f4727a99bb389e8e6a77c4fbee17bdc19fc60

  • SHA256

    ad644da69f848609475d2a3d773eadf646d4c1e1cb20e4b87422d224e2ccbe32

  • SHA512

    0b04ed15c05b5c5791c8cc5478219e82e9f5def8d9d4f445ef03f3b39a8a76b7e28e7312914624c35b578a74927230e5e0f52c2039cd45db0047da255e15669e

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.klingenwacht.com/mlg/

Decoy

xintianpx.com

chrispsheehan.com

sensationallyot.com

veloceda.com

fanoosbattery.com

wenda7.com

cultivatecultura.com

mersinci.com

makeupbrushhes.com

vptexpediters.com

hispoemin.com

mikeshouseofathousandlegs.com

dealclosersplayback.com

knightdalesleeps.com

1uprealestate.com

showeraccessory.com

perthpanelbeaters.com

novergi.com

directmultiservice.com

mi-miftahurrohmah.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\PO# 4415902670.exe
    "C:\Users\Admin\AppData\Local\Temp\PO# 4415902670.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe"
      2⤵
        PID:3712
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3712 -s 176
          3⤵
          • Suspicious use of NtCreateProcessExOtherParentProcess
          • Program crash
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1324

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/732-7-0x00000000074E0000-0x00000000074E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-0-0x00000000730E0000-0x00000000737CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/732-3-0x0000000004C50000-0x0000000004C51000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-4-0x00000000026B0000-0x00000000026C7000-memory.dmp
      Filesize

      92KB

      Download
    • memory/732-5-0x0000000004BF0000-0x0000000004C0F000-memory.dmp
      Filesize

      124KB

      Download
    • memory/732-6-0x0000000007900000-0x0000000007901000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-1-0x0000000000340000-0x0000000000341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/732-8-0x00000000074C0000-0x00000000074CA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/732-9-0x0000000007F00000-0x0000000007F01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1324-13-0x0000000004C80000-0x0000000004C81000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1324-16-0x0000000005330000-0x0000000005331000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3712-11-0x000000000041EB50-mapping.dmp
      Download
    • memory/3712-12-0x0000000000770000-0x000000000079E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3712-14-0x000000000041EB50-mapping.dmp
      Download