Overview

overview

10

Static

static

180120211200.exe

windows7_x64

10

180120211200.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    10s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    18-01-2021 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    180120211200.exe

  • Size

    1.1MB

  • MD5

    293b5da09841ae1984a6478fd3caaf24

  • SHA1

    c903950fef8f029eda21f9bfe44f0c347471de35

  • SHA256

    29f154b8c244af71ad5dda7bee1e41896e78cf7e5f189219754962c10bcd4183

  • SHA512

    1f939e12af338e655444bf300ce0059a7eb2a67a5a4447282231ca41b5d48be8f8953a01cd551922006908383f2ee4df9f53ba745123f6bb152c3ee191b266bd

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.southsideflooringcreations.com/dkk/

Decoy

goldenfarmm.com

miproper.com

theutahan.com

efeteenerji.com

wellfarehealth.com

setricoo.com

enjoyablephotobooths.com

semaindustrial.com

jennywet.com

jackhughesart.com

cantgetryte.com

searko.com

zxrxhuny.icu

exoticorganicwine.com

fordexplorerproblems.com

locationwebtv.net

elinvoimainenperhe.com

mundoclik.com

nouvellenormale.com

talasnakliyat.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
      "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNQrxVm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp934A.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:2004
      • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
        "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
        3⤵
          PID:268
        • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
          "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:976
      • C:\Windows\SysWOW64\wscript.exe
        "C:\Windows\SysWOW64\wscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1744
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
          3⤵
          • Deletes itself
          PID:1148

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp934A.tmp
      MD5

      115b9efe4e4e915bb1fc5ef8c4a155ea

      SHA1

      0ebbbe3617510d415cf7dd45d1de5ce0b332f08d

      SHA256

      af105b9223159b13b1494c7c87afe6b54723cdb972059589559a6e14279f8d74

      SHA512

      1d4713001995f2153c7d573a543ff24373d2a7da4ffaba6ffbdd4f56a7c803cbaf24b95f01c4372c3a9ac476eb397be3817c89fed613740c232caf8b3ea6eb30

      Download Submit
    • memory/976-10-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/976-14-0x0000000000290000-0x00000000002A4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/976-13-0x0000000000B60000-0x0000000000E63000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/976-11-0x000000000041EC00-mapping.dmp
      Download
    • memory/1148-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1252-15-0x0000000006CE0000-0x0000000006E6F000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/1744-16-0x0000000000000000-mapping.dmp
      Download
    • memory/1744-19-0x00000000000D0000-0x00000000000FE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1744-20-0x0000000000BE0000-0x0000000000EE3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1744-18-0x0000000000FC0000-0x0000000000FE6000-memory.dmp
      Filesize

      152KB

      Download
    • memory/1744-21-0x0000000000A00000-0x0000000000A93000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2004-8-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-7-0x0000000004CF0000-0x0000000004D9B000-memory.dmp
      Filesize

      684KB

      Download
    • memory/2028-6-0x00000000005F0000-0x0000000000603000-memory.dmp
      Filesize

      76KB

      Download
    • memory/2028-5-0x0000000004CB0000-0x0000000004CB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-2-0x0000000074EE0000-0x00000000755CE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2028-3-0x0000000000A40000-0x0000000000A41000-memory.dmp
      Filesize

      4KB

      Download