Overview

overview

10

Static

static

180120211200.exe

windows7_x64

10

180120211200.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    111s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-01-2021 08:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    180120211200.exe

  • Size

    1.1MB

  • MD5

    293b5da09841ae1984a6478fd3caaf24

  • SHA1

    c903950fef8f029eda21f9bfe44f0c347471de35

  • SHA256

    29f154b8c244af71ad5dda7bee1e41896e78cf7e5f189219754962c10bcd4183

  • SHA512

    1f939e12af338e655444bf300ce0059a7eb2a67a5a4447282231ca41b5d48be8f8953a01cd551922006908383f2ee4df9f53ba745123f6bb152c3ee191b266bd

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.southsideflooringcreations.com/dkk/

Decoy

goldenfarmm.com

miproper.com

theutahan.com

efeteenerji.com

wellfarehealth.com

setricoo.com

enjoyablephotobooths.com

semaindustrial.com

jennywet.com

jackhughesart.com

cantgetryte.com

searko.com

zxrxhuny.icu

exoticorganicwine.com

fordexplorerproblems.com

locationwebtv.net

elinvoimainenperhe.com

mundoclik.com

nouvellenormale.com

talasnakliyat.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
      "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3084
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\HNQrxVm" /XML "C:\Users\Admin\AppData\Local\Temp\tmp58CA.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1332
      • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
        "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
        3⤵
          PID:3132
        • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
          "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
          3⤵
            PID:3200
          • C:\Users\Admin\AppData\Local\Temp\180120211200.exe
            "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:2064
        • C:\Windows\SysWOW64\netsh.exe
          "C:\Windows\SysWOW64\netsh.exe"
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:3928
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\180120211200.exe"
            3⤵
              PID:1740

        Network

        MITRE ATT&CK Matrix ATT&CK v6

        Initial Access

        Execution

        Scheduled Task

        1
        T1053

        Persistence

        Scheduled Task

        1
        T1053

        Privilege Escalation

        Scheduled Task

        1
        T1053

        Defense Evasion

        Credential Access

        Discovery

        Lateral Movement

        Collection

        Exfiltration

        Command and Control

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\tmp58CA.tmp
          MD5

          b92c2e6bc5cda81a321b77bbd3269dca

          SHA1

          ca4a011f5af79eea08988ccaaef02937c1527c56

          SHA256

          f7295b289cd2be8c2af053a6f223b958e6a14b264199eec496869226141cdb93

          SHA512

          9b78ae2d0b0b3c31d13cbb4bb958f59d8655a9123da3a74830e948a7ded91e8fa21d7aa040e2941de59c0ae0406aedfa9d5463b33d7012088a662f9b13211a7c

          Download Submit
        • memory/1332-14-0x0000000000000000-mapping.dmp
          Download
        • memory/1740-26-0x0000000000000000-mapping.dmp
          Download
        • memory/2064-21-0x0000000000E20000-0x0000000000E34000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2064-20-0x0000000001270000-0x0000000001590000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/2064-17-0x000000000041EC00-mapping.dmp
          Download
        • memory/2064-16-0x0000000000400000-0x000000000042E000-memory.dmp
          Filesize

          184KB

          Download
        • memory/2828-22-0x00000000058B0000-0x00000000059C9000-memory.dmp
          Filesize

          1.1MB

          Download
        • memory/3084-8-0x0000000005710000-0x0000000005711000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-7-0x00000000057B0000-0x00000000057B1000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-13-0x0000000006650000-0x00000000066FB000-memory.dmp
          Filesize

          684KB

          Download
        • memory/3084-11-0x0000000006110000-0x0000000006111000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-10-0x0000000005970000-0x0000000005971000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-9-0x0000000005910000-0x0000000005911000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-2-0x0000000073940000-0x000000007402E000-memory.dmp
          Filesize

          6.9MB

          Download
        • memory/3084-12-0x0000000005790000-0x00000000057A3000-memory.dmp
          Filesize

          76KB

          Download
        • memory/3084-6-0x0000000005C10000-0x0000000005C11000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-5-0x0000000005670000-0x0000000005671000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3084-3-0x0000000000D40000-0x0000000000D41000-memory.dmp
          Filesize

          4KB

          Download
        • memory/3928-25-0x00000000009B0000-0x00000000009DE000-memory.dmp
          Filesize

          184KB

          Download
        • memory/3928-24-0x0000000001740000-0x000000000175E000-memory.dmp
          Filesize

          120KB

          Download
        • memory/3928-23-0x0000000000000000-mapping.dmp
          Download
        • memory/3928-27-0x0000000003760000-0x0000000003A80000-memory.dmp
          Filesize

          3.1MB

          Download