Overview

overview

10

Static

static

Confirm!!.exe

windows7_x64

10

Confirm!!.exe

windows10_x64

10

Resubmissions

17-01-2021 18:00

210117-7tg4bkzgjn 10

17-01-2021 17:55

210117-y56mjft712 10

Analysis

  • max time kernel
    148s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    17-01-2021 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirm!!.exe

  • Size

    822KB

  • MD5

    7fe88cceaddc558f6c812a574dd7d2d8

  • SHA1

    feea6851987dec87602c10633c7748bb1a184b5a

  • SHA256

    005051028cd70b06d41a9703a87b07dfd779d03395073edf6d43aaa10a719040

  • SHA512

    7fc4a802bb5703a8b23853739f1a3c1a986f9fa623d0a7327243cad31c3a2cbcf31555f875e8b4ab707a336912707f5814ddfb0ee4540fe4a1d1e89131bef362

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.deuxus.com/t052/

Decoy

ladybug-learning.com

unforgottenstory.com

oldmopaiv.xyz

natashaexim.com

hannahmcelgunn.com

retargetingmachines.info

njoconline.com

unicornlankadelivery.com

giftkerala.com

englishfordoctors.online

schatzilandrvresort.com

brujoisaac.com

basiccampinggear.com

escapees.today

dgyxsy888.com

stevebana.xyz

mimozakebap.com

ezdoff.com

pluumyspalace.com

shaoshanshan.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4076
      • C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe
        "C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe"
        3⤵
          PID:1096
        • C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe
          "C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3628
      • C:\Windows\SysWOW64\explorer.exe
        "C:\Windows\SysWOW64\explorer.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2136
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Confirm!!.exe"
          3⤵
            PID:3980

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/2136-24-0x00000000050E0000-0x0000000005173000-memory.dmp
        Filesize

        588KB

        Download
      • memory/2136-23-0x00000000051A0000-0x00000000054C0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2136-21-0x0000000000E30000-0x0000000000E5E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2136-20-0x0000000001010000-0x000000000144F000-memory.dmp
        Filesize

        4.2MB

        Download
      • memory/2136-19-0x0000000000000000-mapping.dmp
        Download
      • memory/2756-18-0x0000000002B60000-0x0000000002C74000-memory.dmp
        Filesize

        1.1MB

        Download
      • memory/2756-25-0x00000000065A0000-0x0000000006727000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/3628-13-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3628-16-0x0000000000F10000-0x0000000001230000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3628-17-0x0000000001250000-0x0000000001264000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3628-14-0x000000000041ECC0-mapping.dmp
        Download
      • memory/3980-22-0x0000000000000000-mapping.dmp
        Download
      • memory/4076-10-0x0000000005710000-0x0000000005711000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-2-0x00000000739A0000-0x000000007408E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/4076-11-0x0000000005600000-0x0000000005613000-memory.dmp
        Filesize

        76KB

        Download
      • memory/4076-9-0x0000000005640000-0x0000000005641000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-8-0x0000000005340000-0x0000000005341000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-7-0x00000000054A0000-0x00000000054A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-12-0x0000000001380000-0x00000000013EB000-memory.dmp
        Filesize

        428KB

        Download
      • memory/4076-6-0x0000000005900000-0x0000000005901000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-5-0x0000000005360000-0x0000000005361000-memory.dmp
        Filesize

        4KB

        Download
      • memory/4076-3-0x0000000000A50000-0x0000000000A51000-memory.dmp
        Filesize

        4KB

        Download