Overview

overview

10

Static

static

10

download.dat.exe

windows7_x64

10

download.dat.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    21-01-2021 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    download.dat.exe

  • Size

    182KB

  • MD5

    124416d2b956cf91c800dc8d94e696b4

  • SHA1

    d10ceb17baac1cd703f84903c159e19cc33f7357

  • SHA256

    c765588034bd272b0ff08491d8b477776e4e284c37abcc9a8b7ae08acf0b4fb1

  • SHA512

    082aa13db5f569b6dec46faad7bd88d20a9de447831b99512496b2013ff1b478401ed9640948982c875544d0135e56b034505eb5cdef8829018934e1fc004e59

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.familyof2.com/p3c/

Decoy

scsykt.com

333999dy.com

soaringhood.net

thejaxstar.com

sakura-wedding.com

ussalesmarketing.com

mathworksheetsforkids.net

bestchinesefoods.com

theparkchi.com

cb6333.com

xldd0817nt15vkr6.xyz

joyousheartphotography.com

kittylol.com

caufooding.com

pippamalmgren.life

saveitall.today

connect-clarity.info

smartestgift.com

nilshana.com

arkpropertysolutions.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 31 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\download.dat.exe
      "C:\Users\Admin\AppData\Local\Temp\download.dat.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1184
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1780
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\download.dat.exe"
        3⤵
        • Deletes itself
        PID:1596

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1184-2-0x0000000000A20000-0x0000000000D23000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1184-3-0x0000000000130000-0x0000000000144000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1256-4-0x0000000006F50000-0x00000000070F9000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1256-12-0x0000000002B20000-0x0000000002BE2000-memory.dmp
    Filesize

    776KB

    Download
  • memory/1596-10-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-5-0x0000000000000000-mapping.dmp
    Download
  • memory/1780-6-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1780-7-0x0000000000CF0000-0x0000000000D04000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1780-8-0x0000000000090000-0x00000000000BE000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1780-9-0x00000000022A0000-0x00000000025A3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1780-11-0x0000000000B90000-0x0000000000C23000-memory.dmp
    Filesize

    588KB

    Download