Overview

overview

10

Static

static

Shipment D...st.exe

windows7_x64

10

Shipment D...st.exe

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    25-02-2021 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BL,INV and packing list.exe

  • Size

    454KB

  • MD5

    553cd6156563de1a6bd068761a8b8066

  • SHA1

    bb500d28f113b37cdfa4d09f160a417214188ac2

  • SHA256

    10d80e3275154e9e39e98d3622a7af4f98a5fd1f0a073839d9e8d670cbd5d3e6

  • SHA512

    9750b665cf70d9b9000f11edeb26a77d7a0bc8b294aaeb948e51b8abc8239c1801b5b8784bdefef887141e7cda1759263e6e68cf18d1f63432eeb211d63b032b

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.webperb.com/nehc/

Decoy

havenmaple.com

katrinasmarket.com

ccharlet.com

everestmedicalgroupusa.net

powervoc.com

crypto300cluv.com

davidrichterlaw.com

parkcitysongfest.com

videogeniusawards.com

beleave.club

gooddeedprocessing.com

synthsup.com

eceiptsworld.com

infinityanalytics.co.uk

damghair.com

sabaidate.com

guitarsir.com

thebowlingspot.com

denturelabmiami.com

mo-cooking.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3012
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4760
      • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe"
        3⤵
          PID:520
        • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe
          "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:584
      • C:\Windows\SysWOW64\autochk.exe
        "C:\Windows\SysWOW64\autochk.exe"
        2⤵
          PID:672
        • C:\Windows\SysWOW64\autochk.exe
          "C:\Windows\SysWOW64\autochk.exe"
          2⤵
            PID:832
          • C:\Windows\SysWOW64\autochk.exe
            "C:\Windows\SysWOW64\autochk.exe"
            2⤵
              PID:876
            • C:\Windows\SysWOW64\autochk.exe
              "C:\Windows\SysWOW64\autochk.exe"
              2⤵
                PID:932
              • C:\Windows\SysWOW64\autoconv.exe
                "C:\Windows\SysWOW64\autoconv.exe"
                2⤵
                  PID:1008
                • C:\Windows\SysWOW64\autoconv.exe
                  "C:\Windows\SysWOW64\autoconv.exe"
                  2⤵
                    PID:1012
                  • C:\Windows\SysWOW64\rundll32.exe
                    "C:\Windows\SysWOW64\rundll32.exe"
                    2⤵
                    • Suspicious use of SetThreadContext
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious behavior: MapViewOfSection
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:640
                    • C:\Windows\SysWOW64\cmd.exe
                      /c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.exe"
                      3⤵
                        PID:1116

                  Network

                  MITRE ATT&CK Matrix

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/584-14-0x000000000041ECB0-mapping.dmp
                    Download
                  • memory/584-17-0x0000000000A80000-0x0000000000A94000-memory.dmp
                    Filesize

                    80KB

                    Download
                  • memory/584-16-0x0000000000F10000-0x0000000001230000-memory.dmp
                    Filesize

                    3.1MB

                    Download
                  • memory/584-13-0x0000000000400000-0x000000000042E000-memory.dmp
                    Filesize

                    184KB

                    Download
                  • memory/640-19-0x0000000000000000-mapping.dmp
                    Download
                  • memory/640-25-0x0000000004430000-0x00000000044C3000-memory.dmp
                    Filesize

                    588KB

                    Download
                  • memory/640-23-0x00000000046C0000-0x00000000049E0000-memory.dmp
                    Filesize

                    3.1MB

                    Download
                  • memory/640-20-0x0000000000260000-0x0000000000273000-memory.dmp
                    Filesize

                    76KB

                    Download
                  • memory/640-21-0x0000000002B20000-0x0000000002B4E000-memory.dmp
                    Filesize

                    184KB

                    Download
                  • memory/1116-22-0x0000000000000000-mapping.dmp
                    Download
                  • memory/3012-18-0x00000000030E0000-0x00000000031B1000-memory.dmp
                    Filesize

                    836KB

                    Download
                  • memory/3012-26-0x00000000058F0000-0x0000000005A1F000-memory.dmp
                    Filesize

                    1.2MB

                    Download
                  • memory/4760-12-0x0000000007B00000-0x0000000007B54000-memory.dmp
                    Filesize

                    336KB

                    Download
                  • memory/4760-3-0x0000000000F10000-0x0000000000F11000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4760-5-0x00000000057B0000-0x00000000057B1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4760-2-0x0000000073150000-0x000000007383E000-memory.dmp
                    Filesize

                    6.9MB

                    Download
                  • memory/4760-6-0x0000000005D50000-0x0000000005D51000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4760-7-0x00000000058F0000-0x00000000058F1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4760-8-0x00000000057A0000-0x00000000057A1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4760-11-0x0000000005AA0000-0x0000000005AA3000-memory.dmp
                    Filesize

                    12KB

                    Download
                  • memory/4760-10-0x00000000058B0000-0x00000000058B1000-memory.dmp
                    Filesize

                    4KB

                    Download
                  • memory/4760-9-0x0000000005AC0000-0x0000000005AC1000-memory.dmp
                    Filesize

                    4KB

                    Download