Overview

overview

10

Static

static

aed69bded2...cb.exe

windows7_x64

10

aed69bded2...cb.exe

windows10_x64

10

Analysis

  • max time kernel
    69s
  • max time network
    16s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    04-12-2020 19:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aed69bded2c5920724549a7112b9fecb.exe

  • Size

    944KB

  • MD5

    aed69bded2c5920724549a7112b9fecb

  • SHA1

    c5b8acf38cec74a50b860cc28e057fe94f5faac3

  • SHA256

    a433e37681474497ad96a280d9578620c8875d1f99445ca976a84bf3bda3e008

  • SHA512

    86c4eed73ce33efed6d65fe2b6d55681cb9756258e4b8b380630f0cfcc3ff065ec7772d4607e4a24e041e4da1cc9edcb0ed3660c69d180414e5f6bede4bc8ef7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.artyhairworld.com/mgd/

Decoy

southwickspecialty.com

xn--ga-c9a.com

fqhyjz.com

svtrbu.com

expreshaliyikama.com

digitalcentervip.com

herpesland.com

mashadafc.com

tributoalcuerpo.com

containerflipperz.net

unearthsc.com

shoppingcart.pro

ekkleonline.com

bestfiveg.com

maranis.com

cryptogamernews.com

lyondaniels.com

its-all-about-the-bling.com

tigush.space

x-select.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\aed69bded2c5920724549a7112b9fecb.exe
    "C:\Users\Admin\AppData\Local\Temp\aed69bded2c5920724549a7112b9fecb.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1048
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\xuGfwTpgRYPQ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1C66.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:1452
    • C:\Users\Admin\AppData\Local\Temp\aed69bded2c5920724549a7112b9fecb.exe
      "C:\Users\Admin\AppData\Local\Temp\aed69bded2c5920724549a7112b9fecb.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:824

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp1C66.tmp
    MD5

    9b11ea4f0aef40b4f04db38e3e5c9a06

    SHA1

    b8a04e38d4e16bfd8afe5286da3e49031a98b070

    SHA256

    e5658afb29b093cc6f06bd5d7c05838981c20a0ab550a961e7f5e3916121dd94

    SHA512

    8b76da398b53351fa4e4d0067601b8d2e6fa0953cea639e8e177a74e8e2ae2e9936d4f03dd11f6aeb5e8f7ed00e0b448158d39f6304b017e35d0ff18056abc0a

    Download Submit
  • memory/824-12-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/824-13-0x000000000041EB30-mapping.dmp
    Download
  • memory/1048-2-0x0000000074110000-0x00000000747FE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1048-3-0x0000000000F10000-0x0000000000F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1048-5-0x0000000025700000-0x00000000456E8000-memory.dmp
    Filesize

    511.9MB

    Download
  • memory/1048-6-0x0000000000E50000-0x0000000000E9E000-memory.dmp
    Filesize

    312KB

    Download
  • memory/1048-7-0x0000000000A90000-0x0000000000A98000-memory.dmp
    Filesize

    32KB

    Download
  • memory/1048-9-0x0000000000EA0000-0x0000000000ED1000-memory.dmp
    Filesize

    196KB

    Download
  • memory/1452-10-0x0000000000000000-mapping.dmp
    Download