Analysis

  • max time kernel
    148s
  • max time network
    130s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 20:13

General

  • Target

    Inv.exe

  • Size

    326KB

  • MD5

    a3aba7d40da6c8c86e4e8d035803f314

  • SHA1

    469b36f05939d6ec6457f1b72ba9f6c7a960be06

  • SHA256

    1f94eb81e3cde4f677fd210e1ff7f5d06987cbdc2fa7de79e28b224e49244b40

  • SHA512

    2cfa59a865a8292b98fb3e8e6ae79a4613d773be87c927ba4cc8e0f034010c0e5ebd0b85a74ca02ef59d47335908bcc610a597bc9cbfbfaaf364d76f51fff2fc

Malware Config

Extracted

Family

formbook

C2

http://www.nationshiphop.com/hko6/

Decoy

apartmentsineverettwa.com

forritcu.net

hotroodes.com

skinnerttc.com

royaltrustmyanmar.com

adreslog.com

kaysbridalboutiques.com

multitask-improvements.com

geniiforum.com

smarthomehatinh.asia

banglikeaboss.com

javlover.club

affiliateclubindia.com

mycapecoralhomevalue.com

comparamuebles.online

newrochellenissan.com

nairobi-paris.com

fwk.xyz

downdepot.com

nextgenmemorabilia.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

  • Formbook Payload 3 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\Inv.exe
      "C:\Users\Admin\AppData\Local\Temp\Inv.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:4804
      • C:\Users\Admin\AppData\Local\Temp\Inv.exe
        "C:\Users\Admin\AppData\Local\Temp\Inv.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:824
        • C:\Windows\SysWOW64\raserver.exe
          "C:\Windows\SysWOW64\raserver.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3200
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\Inv.exe"
            5⤵
              PID:452

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/452-8-0x0000000000000000-mapping.dmp
    • memory/824-2-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

    • memory/824-3-0x000000000041ECF0-mapping.dmp
    • memory/3200-6-0x0000000001150000-0x000000000116F000-memory.dmp
      Filesize

      124KB

    • memory/3200-5-0x0000000000000000-mapping.dmp
    • memory/3200-7-0x0000000001150000-0x000000000116F000-memory.dmp
      Filesize

      124KB

    • memory/3200-9-0x0000000005660000-0x00000000057ED000-memory.dmp
      Filesize

      1.6MB