Overview

overview

10

Static

static

20210113432.exe

windows7_x64

10

20210113432.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    13-01-2021 20:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20210113432.exe

  • Size

    1.0MB

  • MD5

    13dbc9c1c5a2811ecbee5f420c9c75b6

  • SHA1

    6b01e540d3757944b61baa187159a908e170d5ae

  • SHA256

    ba41656ca5e0e243cff9f6a536c43998a9dbc492f5e813a0022e84359b2e0ef8

  • SHA512

    ae1414b91ba91a29575901ac0daf55aa937454b1afcd53d7d0c9461ca2b48d65bb1f3213ad23853987a40381a2f57be359fdbf7848ff57432b5e95ffd4cbcea1

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.southsideflooringcreations.com/dkk/

Decoy

goldenfarmm.com

miproper.com

theutahan.com

efeteenerji.com

wellfarehealth.com

setricoo.com

enjoyablephotobooths.com

semaindustrial.com

jennywet.com

jackhughesart.com

cantgetryte.com

searko.com

zxrxhuny.icu

exoticorganicwine.com

fordexplorerproblems.com

locationwebtv.net

elinvoimainenperhe.com

mundoclik.com

nouvellenormale.com

talasnakliyat.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\20210113432.exe
      "C:\Users\Admin\AppData\Local\Temp\20210113432.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:644
      • C:\Users\Admin\AppData\Local\Temp\20210113432.exe
        "C:\Users\Admin\AppData\Local\Temp\20210113432.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1528
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:652
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\20210113432.exe"
        3⤵
        • Deletes itself
        PID:728

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/644-2-0x0000000074390000-0x0000000074A7E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/644-3-0x0000000000190000-0x0000000000191000-memory.dmp
    Filesize

    4KB

    Download
  • memory/644-5-0x00000000004F0000-0x0000000000502000-memory.dmp
    Filesize

    72KB

    Download
  • memory/644-6-0x0000000004CD0000-0x0000000004D3A000-memory.dmp
    Filesize

    424KB

    Download
  • memory/652-9-0x0000000000000000-mapping.dmp
    Download
  • memory/652-10-0x0000000000050000-0x000000000005E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/652-12-0x0000000003130000-0x00000000031F2000-memory.dmp
    Filesize

    776KB

    Download
  • memory/728-11-0x0000000000000000-mapping.dmp
    Download
  • memory/1528-7-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1528-8-0x000000000041EC00-mapping.dmp
    Download