Overview

overview

10

Static

static

SCAN_20210...69.exe

windows7_x64

1

SCAN_20210...69.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    13-01-2021 07:48

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    SCAN_20210113140930669.exe

  • Size

    1.0MB

  • MD5

    5f7d0bc54b8cfbfca3057aeddb3c0909

  • SHA1

    a426832c6b424a035cfb30f9d4ba07cd45dc5ce1

  • SHA256

    2120a958805532d53821fb90eaaa140d8a6461f667b392e352311ff896465f46

  • SHA512

    74977c2c7ac0793912dbc073cb7dc6184d42cab8d93e595abe673c65402b439e0adbaf2e82686dd11da79e4b6dc6d75e94a2745fe7c2e8fd1f2fd55de5b9082b

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.midnightblueinc.com/2kf/

Decoy

edmondscakes.com

doublewldr.online

tickets2usa.com

heyhxry.com

weightloss-gulfport.com

prosselius.com

newviewroofers.com

jacksonarearealestate.com

catparkas.xyz

pagos2020.com

sonwsefjrahi.online

franchisethings.com

nuocvietngaynay.com

sohelvai.com

mikeyroush.com

lamesaroofing.com

betbigo138.com

amazon-service-recovery.com

clockin.net

riostrader.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe
      "C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3564
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\fqJdWysg" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA42.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3228
      • C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe
        "C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3484
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3096
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\SCAN_20210113140930669.exe"
        3⤵
          PID:3248

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpA42.tmp
      MD5

      a62b99ea51031c1a9316b07cffda6812

      SHA1

      f6a9e5632e9f43028802bb0ab8e508c70ba0924a

      SHA256

      a7c0d75bf79e277af9c721d221c6ebefc5ec188620461a1c452f81ba008d31e8

      SHA512

      d26cdf34e243d21416c126fff8e17572882ba9cd64d7307c1c042f7bf30931c9a329ffa24037b917213395513a88267cb23256e33caa6a5a0c14b3550ad4fe2d

      Download Submit
    • memory/3096-20-0x00000000011C0000-0x000000000126E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/3096-18-0x0000000001350000-0x0000000001367000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3096-17-0x0000000001350000-0x0000000001367000-memory.dmp
      Filesize

      92KB

      Download
    • memory/3096-16-0x0000000000000000-mapping.dmp
      Download
    • memory/3228-12-0x0000000000000000-mapping.dmp
      Download
    • memory/3248-19-0x0000000000000000-mapping.dmp
      Download
    • memory/3484-15-0x000000000041EB30-mapping.dmp
      Download
    • memory/3484-14-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3564-7-0x0000000005150000-0x0000000005151000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3564-11-0x0000000005EA0000-0x0000000005F0B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3564-10-0x00000000050E0000-0x00000000050F2000-memory.dmp
      Filesize

      72KB

      Download
    • memory/3564-9-0x00000000052B0000-0x00000000052B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3564-8-0x0000000005090000-0x0000000005091000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3564-2-0x0000000073920000-0x000000007400E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/3564-6-0x00000000055B0000-0x00000000055B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3564-5-0x0000000004FD0000-0x0000000004FD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3564-3-0x00000000006E0000-0x00000000006E1000-memory.dmp
      Filesize

      4KB

      Download