Overview

overview

10

Static

static

Details here.exe

windows7_x64

10

Details here.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    145s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 08:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Details here.exe

  • Size

    1.2MB

  • MD5

    a952c15d26e8b87cce83c842f9c56d71

  • SHA1

    734fab89fedb57add80068bc56267512d717c189

  • SHA256

    67710323c3dd7ba7cc04081512bdb304b4d7edd72975f2891c1f5893fdb75a8a

  • SHA512

    2b433b9670d54b588cd1bd77e302ef6dea911bdb6eb5043653003b2ec30d005fb953c7ec844235203b56e22e3e26b60cadcea7662a9a73471441d64e01b8c696

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.deuxus.com/t052/

Decoy

ladybug-learning.com

unforgottenstory.com

oldmopaiv.xyz

natashaexim.com

hannahmcelgunn.com

retargetingmachines.info

njoconline.com

unicornlankadelivery.com

giftkerala.com

englishfordoctors.online

schatzilandrvresort.com

brujoisaac.com

basiccampinggear.com

escapees.today

dgyxsy888.com

stevebana.xyz

mimozakebap.com

ezdoff.com

pluumyspalace.com

shaoshanshan.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2352
    • C:\Users\Admin\AppData\Local\Temp\Details here.exe
      "C:\Users\Admin\AppData\Local\Temp\Details here.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Users\Admin\AppData\Local\Temp\Details here.exe
        "C:\Users\Admin\AppData\Local\Temp\Details here.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:976
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:2896
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:4084
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:4020
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:3368
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:2184
              • C:\Windows\SysWOW64\autofmt.exe
                "C:\Windows\SysWOW64\autofmt.exe"
                2⤵
                  PID:3956
                • C:\Windows\SysWOW64\autofmt.exe
                  "C:\Windows\SysWOW64\autofmt.exe"
                  2⤵
                    PID:3964
                  • C:\Windows\SysWOW64\autofmt.exe
                    "C:\Windows\SysWOW64\autofmt.exe"
                    2⤵
                      PID:3960
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\SysWOW64\rundll32.exe"
                      2⤵
                      • Suspicious use of SetThreadContext
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious behavior: MapViewOfSection
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3944
                      • C:\Windows\SysWOW64\cmd.exe
                        /c del "C:\Users\Admin\AppData\Local\Temp\Details here.exe"
                        3⤵
                          PID:3808

                    Network

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/976-14-0x0000000000400000-0x000000000042E000-memory.dmp
                      Filesize

                      184KB

                      Download
                    • memory/976-20-0x00000000017E0000-0x00000000017F4000-memory.dmp
                      Filesize

                      80KB

                      Download
                    • memory/976-18-0x0000000001480000-0x0000000001494000-memory.dmp
                      Filesize

                      80KB

                      Download
                    • memory/976-17-0x00000000014C0000-0x00000000017E0000-memory.dmp
                      Filesize

                      3.1MB

                      Download
                    • memory/976-15-0x000000000041ECC0-mapping.dmp
                      Download
                    • memory/1308-9-0x0000000005A20000-0x0000000005A21000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-5-0x0000000005760000-0x0000000005761000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-10-0x0000000006200000-0x0000000006201000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-11-0x0000000005A80000-0x0000000005A81000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-12-0x0000000005A00000-0x0000000005A13000-memory.dmp
                      Filesize

                      76KB

                      Download
                    • memory/1308-13-0x0000000001620000-0x00000000016C8000-memory.dmp
                      Filesize

                      672KB

                      Download
                    • memory/1308-8-0x00000000056D0000-0x00000000056D1000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-7-0x0000000005800000-0x0000000005801000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-6-0x0000000005D00000-0x0000000005D01000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/1308-2-0x0000000073C50000-0x000000007433E000-memory.dmp
                      Filesize

                      6.9MB

                      Download
                    • memory/1308-3-0x0000000000D80000-0x0000000000D81000-memory.dmp
                      Filesize

                      4KB

                      Download
                    • memory/2352-21-0x00000000028E0000-0x00000000029A9000-memory.dmp
                      Filesize

                      804KB

                      Download
                    • memory/2352-19-0x0000000000A50000-0x0000000000B33000-memory.dmp
                      Filesize

                      908KB

                      Download
                    • memory/2352-28-0x0000000005000000-0x0000000005145000-memory.dmp
                      Filesize

                      1.3MB

                      Download
                    • memory/3808-25-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3944-22-0x0000000000000000-mapping.dmp
                      Download
                    • memory/3944-24-0x0000000000870000-0x000000000089E000-memory.dmp
                      Filesize

                      184KB

                      Download
                    • memory/3944-23-0x0000000000950000-0x0000000000963000-memory.dmp
                      Filesize

                      76KB

                      Download
                    • memory/3944-26-0x0000000004BA0000-0x0000000004EC0000-memory.dmp
                      Filesize

                      3.1MB

                      Download
                    • memory/3944-27-0x0000000002D90000-0x0000000002E23000-memory.dmp
                      Filesize

                      588KB

                      Download