Overview

overview

10

Static

static

2021_50SG0...df.exe

windows7_x64

10

2021_50SG0...df.exe

windows10_x64

10

Analysis

  • max time kernel
    145s
  • max time network
    119s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-01-2021 07:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2021_50SG0BK00T1,pdf.exe

  • Size

    1.0MB

  • MD5

    89f2269c6b922334a760d393a84e14f5

  • SHA1

    c745861fede33861fb7ecb4e74fec7ffc2f65838

  • SHA256

    e7063cc17e4ab85b0ae947f6366f4a955758d2e3ef81bb2476f77aec1f77daae

  • SHA512

    3779f0399da5297c82086512b516fb6bfd05df9831c995001988bf0cbe2fe20258316c9e19e3810240e0414a059f7132d73835a9cfa4cc8ab5845d98887a46ce

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.radissonhotelsusa.com/cp5/

Decoy

glcpunix.com

marabierta-coaching.com

osrs-remastered.com

lineagehealthxwellness.com

dunyadagezilecekyerler.com

negociosyfinanzasfaciles.com

bifa510.com

houseofutamasa.com

dopeneeds.com

sailacc.com

thewindgallery.com

elvinrisky.com

flowersassistedliving.com

lzbnwy.com

mrpentester.com

joinmytradingteam.com

jasabuatvisa.com

meherunnessa-foundation.com

notyourtypicaljocks.com

lobo-sports.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\2021_50SG0BK00T1,pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\2021_50SG0BK00T1,pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3132
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uQbWwWGLjoOA" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5247.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1892
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1172
    • C:\Windows\SysWOW64\autoconv.exe
      "C:\Windows\SysWOW64\autoconv.exe"
      2⤵
        PID:3960
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3744
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
            PID:3832

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\tmp5247.tmp
        MD5

        906442277d36decca2a3ed1700a3fc75

        SHA1

        ba76db5f6c0d57cdd78092b97d935ece1b13c572

        SHA256

        f738f150ce4bef6516d36d1fd6f1dd44eb24c94ec69cc7f75e54273e46b34ecc

        SHA512

        34381402cf738a1de6c3bd80f6ef042b2176beab32a6883d13684d12d6775b42623fde30ba772e25979621f0a329f92843a5afbcc7e961a8dd7d67078a40123b

        Download Submit
      • memory/1172-20-0x0000000001470000-0x0000000001484000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1172-19-0x0000000001490000-0x00000000017B0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/1172-17-0x000000000041EBF0-mapping.dmp
        Download
      • memory/1172-16-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1892-14-0x0000000000000000-mapping.dmp
        Download
      • memory/3028-29-0x00000000014E0000-0x00000000015A4000-memory.dmp
        Filesize

        784KB

        Download
      • memory/3028-21-0x0000000006D50000-0x0000000006E90000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/3132-9-0x0000000004AD0000-0x0000000004AD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-5-0x0000000004B30000-0x0000000004B31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-13-0x0000000005D50000-0x0000000005DB7000-memory.dmp
        Filesize

        412KB

        Download
      • memory/3132-11-0x00000000055D0000-0x00000000055D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-10-0x0000000004D90000-0x0000000004D91000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-2-0x0000000073820000-0x0000000073F0E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/3132-8-0x0000000004E10000-0x0000000004E11000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-7-0x0000000004BD0000-0x0000000004BD1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-6-0x00000000050D0000-0x00000000050D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3132-12-0x0000000004E90000-0x0000000004EB3000-memory.dmp
        Filesize

        140KB

        Download
      • memory/3132-3-0x0000000000070000-0x0000000000071000-memory.dmp
        Filesize

        4KB

        Download
      • memory/3744-24-0x0000000000B00000-0x0000000000B27000-memory.dmp
        Filesize

        156KB

        Download
      • memory/3744-25-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3744-26-0x0000000004480000-0x00000000047A0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/3744-28-0x00000000042E0000-0x0000000004373000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3744-22-0x0000000000000000-mapping.dmp
        Download
      • memory/3832-23-0x0000000000000000-mapping.dmp
        Download