Overview

overview

10

Static

static

PO2364#FD212003.exe

windows7_x64

10

PO2364#FD212003.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 08:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO2364#FD212003.exe

  • Size

    1.0MB

  • MD5

    b7c168ea63b8e1c2fa7eb4059d85283e

  • SHA1

    a41f448c52e01434275c86b928b8b64222e77734

  • SHA256

    f03367cb1758bddd8877e7aca02223797330fc8482d6ffce6f397730ffefd53f

  • SHA512

    b4cac0d652270d385014b0ef90159e279b768f1061ae1086e9df4043a838faed4585dc38b08426e76cc4c39d2c5ed7ccf399e28107eb8dd26011efed3a02cb63

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.styrelseforum.com/p95n/

Decoy

kimberlyrutledge.com

auctus.agency

johnemotions.com

guilt-brilliant.com

wxshangdian.com

theolivetreeonline.com

stellarfranchisebrands.com

every1no1.com

hoangthanhgroup.com

psm-gen.com

kingdomwow.com

digitalksr.com

karynpolitoforlg.com

youthdaycalgary.com

libertyhandymanservicesllc.com

breatheohio.com

allenleather.com

transformafter50.info

hnhsylsb.com

hmtradebd.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 46 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3128
      • C:\Users\Admin\AppData\Local\Temp\PO2364#FD212003.exe
        "C:\Users\Admin\AppData\Local\Temp\PO2364#FD212003.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:492
        • C:\Users\Admin\AppData\Local\Temp\PO2364#FD212003.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3960
          • C:\Windows\SysWOW64\systray.exe
            "C:\Windows\SysWOW64\systray.exe"
            4⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4068
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\PO2364#FD212003.exe"
              5⤵
                PID:1412
        • C:\Windows\SysWOW64\autofmt.exe
          "C:\Windows\SysWOW64\autofmt.exe"
          2⤵
            PID:3052
          • C:\Windows\SysWOW64\autofmt.exe
            "C:\Windows\SysWOW64\autofmt.exe"
            2⤵
              PID:2876
            • C:\Windows\SysWOW64\autofmt.exe
              "C:\Windows\SysWOW64\autofmt.exe"
              2⤵
                PID:3812

            Network

            MITRE ATT&CK Matrix

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/492-2-0x0000000002D40000-0x0000000002D41000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1412-14-0x0000000000000000-mapping.dmp
              Download
            • memory/3128-10-0x0000000005B00000-0x0000000005C13000-memory.dmp
              Filesize

              1.1MB

              Download
            • memory/3128-17-0x0000000001350000-0x000000000140A000-memory.dmp
              Filesize

              744KB

              Download
            • memory/3128-7-0x0000000006CA0000-0x0000000006E3D000-memory.dmp
              Filesize

              1.6MB

              Download
            • memory/3960-6-0x0000000001650000-0x0000000001664000-memory.dmp
              Filesize

              80KB

              Download
            • memory/3960-8-0x00000000012F0000-0x0000000001610000-memory.dmp
              Filesize

              3.1MB

              Download
            • memory/3960-9-0x0000000003110000-0x0000000003124000-memory.dmp
              Filesize

              80KB

              Download
            • memory/3960-4-0x000000000041EDF0-mapping.dmp
              Download
            • memory/3960-3-0x0000000000400000-0x000000000042E000-memory.dmp
              Filesize

              184KB

              Download
            • memory/4068-11-0x0000000000000000-mapping.dmp
              Download
            • memory/4068-12-0x0000000000E40000-0x0000000000E46000-memory.dmp
              Filesize

              24KB

              Download
            • memory/4068-13-0x0000000000D10000-0x0000000000D3E000-memory.dmp
              Filesize

              184KB

              Download
            • memory/4068-15-0x0000000004E10000-0x0000000005130000-memory.dmp
              Filesize

              3.1MB

              Download
            • memory/4068-16-0x0000000005130000-0x00000000051C3000-memory.dmp
              Filesize

              588KB

              Download