Overview

overview

10

Static

static

2021_50SG0...df.exe

windows7_x64

10

2021_50SG0...df.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    19-01-2021 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2021_50SG0BK00T1,pdf.exe

  • Size

    1.0MB

  • MD5

    89f2269c6b922334a760d393a84e14f5

  • SHA1

    c745861fede33861fb7ecb4e74fec7ffc2f65838

  • SHA256

    e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae

  • SHA512

    3779f0399da5297c82086512b516fb6bfd05df9831c995001988bf0cbe2fe20258316c9e19e3810240e0414a059f7132d73835a9cfa4cc8ab5845d98887a46ce

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.radissonhotelsusa.com/cp5/

Decoy

glcpunix.com

marabierta-coaching.com

osrs-remastered.com

lineagehealthxwellness.com

dunyadagezilecekyerler.com

negociosyfinanzasfaciles.com

bifa510.com

houseofutamasa.com

dopeneeds.com

sailacc.com

thewindgallery.com

elvinrisky.com

flowersassistedliving.com

lzbnwy.com

mrpentester.com

joinmytradingteam.com

jasabuatvisa.com

meherunnessa-foundation.com

notyourtypicaljocks.com

lobo-sports.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\2021_50SG0BK00T1,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\2021_50SG0BK00T1,pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1740
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQbWwWGLjoOA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1EA8.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1080
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1488
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:852

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp1EA8.tmp
      MD5

      2c6815719e8e92a21f28b78ff1ede6fb

      SHA1

      4f5a6910d31911c7cad94bf8e8b5dd975b09af90

      SHA256

      0e1e6cd2a66579e643b549afe6b645e97edfe926c3e9b96c8779d7dee6ed241e

      SHA512

      218050d0482f3109dd6735a67e7aab7ee4893e8cdfd9d5fa9805268dd35f23e730bb7a2c875b27edd3c2bb50d1c6270ad7fce912c5e529f07ca8912125aaf002

      Download Submit

    • memory/824-18-0x0000000000000000-mapping.dmp

      Download

    • memory/824-23-0x0000000001DD0000-0x0000000001E63000-memory.dmp

      Filesize

      588KB

      Download

    • memory/824-21-0x0000000001F60000-0x0000000002263000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/824-20-0x0000000000080000-0x00000000000AE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/824-19-0x00000000009B0000-0x00000000009C6000-memory.dmp

      Filesize

      88KB

      Download

    • memory/852-22-0x0000000000000000-mapping.dmp

      Download

    • memory/1080-8-0x0000000000000000-mapping.dmp

      Download

    • memory/1268-15-0x00000000060E0000-0x0000000006279000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/1268-17-0x0000000005EF0000-0x0000000005FAE000-memory.dmp

      Filesize

      760KB

      Download

    • memory/1488-11-0x000000000041EBF0-mapping.dmp

      Download

    • memory/1488-13-0x0000000000AE0000-0x0000000000DE3000-memory.dmp

      Filesize

      3.0MB

      Download

    • memory/1488-14-0x0000000000140000-0x0000000000154000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1488-16-0x0000000000190000-0x00000000001A4000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1488-10-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1740-2-0x00000000741A0000-0x000000007488E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1740-7-0x0000000004D90000-0x0000000004DF7000-memory.dmp

      Filesize

      412KB

      Download

    • memory/1740-6-0x0000000001F30000-0x0000000001F53000-memory.dmp

      Filesize

      140KB

      Download

    • memory/1740-5-0x0000000004C00000-0x0000000004C01000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1740-3-0x0000000000320000-0x0000000000321000-memory.dmp

      Filesize

      4KB

      Download