Overview

overview

10

Static

static

20210111140930669.exe

windows7_x64

10

20210111140930669.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    13s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    11-01-2021 09:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20210111140930669.exe

  • Size

    868KB

  • MD5

    55a9f49ac7b18c445a01aa766954a68d

  • SHA1

    73ebd37572a79adec31ceefda6bfec90a9f70f3a

  • SHA256

    1b6a34ba043c45cfc63367a5a35d3c58b074d723c666d018b3c4c0d950e42b40

  • SHA512

    50d1c160637c22e51432ac86e38f3e9e941069859ea02d62df505cb7e7190ba8282b0462520c0879798e1f3509283d2e13b5f3ef61bfe8a8699a18fc0cb482ef

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.midnightblueinc.com/2kf/

Decoy

edmondscakes.com

doublewldr.online

tickets2usa.com

heyhxry.com

weightloss-gulfport.com

prosselius.com

newviewroofers.com

jacksonarearealestate.com

catparkas.xyz

pagos2020.com

sonwsefjrahi.online

franchisethings.com

nuocvietngaynay.com

sohelvai.com

mikeyroush.com

lamesaroofing.com

betbigo138.com

amazon-service-recovery.com

clockin.net

riostrader.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 21 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe
      "C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:596
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HOvZfcnD" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1628
      • C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe
        "C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:396
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1496
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\20210111140930669.exe"
        3⤵
        • Deletes itself
        PID:1584

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmpD23D.tmp
    MD5

    b28efb15bff543f226c76f91c0060d46

    SHA1

    d1c7d6677ee2c1d64f3eb8df773d87069484b5f9

    SHA256

    c92467353d78d2d216a4dd87d28efcbe2ae0cba01afd991feec54909ffb08b88

    SHA512

    8db2ef5199cda81edb85164ff2a06d46da47bcb0c9a7bf8573ba62b3af4895945e87abd33b8eb2d5919948ef734a4a76305b85215b7ce7dfeac47be8f1e862ed

    Download Submit
  • memory/396-9-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/396-10-0x000000000041EB30-mapping.dmp
    Download
  • memory/596-2-0x0000000073D40000-0x000000007442E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/596-3-0x0000000001140000-0x0000000001141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/596-5-0x0000000000260000-0x0000000000272000-memory.dmp
    Filesize

    72KB

    Download
  • memory/596-6-0x0000000005000000-0x000000000506D000-memory.dmp
    Filesize

    436KB

    Download
  • memory/1496-11-0x0000000000000000-mapping.dmp
    Download
  • memory/1496-12-0x0000000000C60000-0x0000000000C6E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1496-14-0x0000000000B60000-0x0000000000C59000-memory.dmp
    Filesize

    996KB

    Download
  • memory/1584-13-0x0000000000000000-mapping.dmp
    Download
  • memory/1628-7-0x0000000000000000-mapping.dmp
    Download