Overview

overview

10

Static

static

PO-23562#TZ232.exe

windows7_x64

10

PO-23562#TZ232.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    113s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO-23562#TZ232.exe

  • Size

    1.5MB

  • MD5

    357a14cfd77aeee6ccdefd6306790b6e

  • SHA1

    515e8f43b3261329f2da96a7f0e873061c33cbd8

  • SHA256

    cb2e173430a404a7cf52a54db1ff96b0de6eed1b8953d96b57e2780e45e71db9

  • SHA512

    dafb6a5de58bf0a42b378c6e83271e55d28204cf1255fa702b1b312d9b6b31c68315241db9089a4ee09445c202baea1bcf51a33ce6132513bff0331c21d48682

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.styrelseforum.com/p95n/

Decoy

kimberlyrutledge.com

auctus.agency

johnemotions.com

guilt-brilliant.com

wxshangdian.com

theolivetreeonline.com

stellarfranchisebrands.com

every1no1.com

hoangthanhgroup.com

psm-gen.com

kingdomwow.com

digitalksr.com

karynpolitoforlg.com

youthdaycalgary.com

libertyhandymanservicesllc.com

breatheohio.com

allenleather.com

transformafter50.info

hnhsylsb.com

hmtradebd.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 25 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232.exe
      "C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1444
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1572
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO-23562#TZ232.exe"
        3⤵
        • Deletes itself
        PID:408

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/408-17-0x0000000000000000-mapping.dmp
    Download
  • memory/844-2-0x0000000074450000-0x0000000074B3E000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/844-3-0x0000000000D10000-0x0000000000D11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/844-5-0x0000000000A10000-0x0000000000A8C000-memory.dmp
    Filesize

    496KB

    Download
  • memory/844-6-0x00000000009D0000-0x00000000009D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/844-7-0x0000000000390000-0x000000000039E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/844-8-0x0000000005AA0000-0x0000000005AF9000-memory.dmp
    Filesize

    356KB

    Download
  • memory/1204-14-0x0000000004D10000-0x0000000004EBC000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1444-10-0x000000000041EDF0-mapping.dmp
    Download
  • memory/1444-13-0x00000000002F0000-0x0000000000304000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1444-12-0x0000000000930000-0x0000000000C33000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1444-9-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1572-15-0x0000000000000000-mapping.dmp
    Download
  • memory/1572-16-0x00000000761E1000-0x00000000761E3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1572-18-0x0000000000BB0000-0x0000000000CA4000-memory.dmp
    Filesize

    976KB

    Download
  • memory/1572-19-0x0000000000110000-0x000000000013E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1572-20-0x0000000002240000-0x0000000002543000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1572-21-0x0000000000980000-0x0000000000A13000-memory.dmp
    Filesize

    588KB

    Download