Overview

overview

10

Static

static

BL copy or...21.exe

windows7_x64

10

BL copy or...21.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 07:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    BL copy order nr. 1054-21.exe

  • Size

    1.1MB

  • MD5

    27ce7deb2528e3f77342c372f8789fed

  • SHA1

    6d22d76fc1b7728d0f2065aca472f8c20bcd08bc

  • SHA256

    5c7b804890877a7a9da085d878b0fc1a444aa1b75965e16beab74c978fab6079

  • SHA512

    ba1ac8a35be56c4ee1ca2ab00082d33891184af1d5a9e97711aa92733a95adfaaa5f161de6868bbdb3dcc9fed0f71f32fcf71e3691f83cdb85c23fba7f502b0d

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.paniciagency.com/n6sn/

Decoy

siearrasmission.com

exploringcharlotte.com

michaelthomasgunn.com

automationmarketers.com

vynxcl3kv3.com

df2229.com

vazivaimmo.net

usful.info

vescuderoabogados.com

janidevco.com

newshum.com

teamworkgod.com

snowwayconstruction.com

s8fyit.com

economicidentity.com

jennysay.com

gamoauction.com

thebooksofblood.com

graymatter-bi.com

newtownquick.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3152
    • C:\Users\Admin\AppData\Local\Temp\BL copy order nr. 1054-21.exe
      "C:\Users\Admin\AppData\Local\Temp\BL copy order nr. 1054-21.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4808
      • C:\Users\Admin\AppData\Local\Temp\BL copy order nr. 1054-21.exe
        "C:\Users\Admin\AppData\Local\Temp\BL copy order nr. 1054-21.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:580
    • C:\Windows\SysWOW64\msdt.exe
      "C:\Windows\SysWOW64\msdt.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:896
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\BL copy order nr. 1054-21.exe"
        3⤵
          PID:1052

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/580-15-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/580-20-0x0000000001100000-0x0000000001114000-memory.dmp
      Filesize

      80KB

      Download
    • memory/580-19-0x0000000001580000-0x00000000018A0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/580-16-0x000000000041ED20-mapping.dmp
      Download
    • memory/896-27-0x0000000004670000-0x0000000004703000-memory.dmp
      Filesize

      588KB

      Download
    • memory/896-26-0x00000000047F0000-0x0000000004B10000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/896-24-0x00000000008B0000-0x0000000000A23000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/896-25-0x0000000000330000-0x000000000035E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/896-22-0x0000000000000000-mapping.dmp
      Download
    • memory/1052-23-0x0000000000000000-mapping.dmp
      Download
    • memory/3152-21-0x00000000056F0000-0x000000000582B000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3152-28-0x0000000006770000-0x000000000688D000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/4808-11-0x0000000005EE0000-0x0000000005EE1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-13-0x0000000005F40000-0x0000000005F63000-memory.dmp
      Filesize

      140KB

      Download
    • memory/4808-10-0x0000000005460000-0x0000000005461000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-9-0x0000000005560000-0x0000000005561000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-12-0x0000000005340000-0x0000000005341000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-8-0x0000000005300000-0x0000000005301000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-2-0x00000000739D0000-0x00000000740BE000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4808-7-0x00000000054C0000-0x00000000054C1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-6-0x0000000005920000-0x0000000005921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-5-0x0000000005380000-0x0000000005381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-3-0x00000000008D0000-0x00000000008D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4808-14-0x00000000065B0000-0x0000000006616000-memory.dmp
      Filesize

      408KB

      Download