Overview

overview

10

Static

static

1

Requiremen...mm.exe

windows7_x64

10

Requiremen...mm.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    143s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 06:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Requirement of Sonic Tube 50 mm.exe

  • Size

    299KB

  • MD5

    5e51248701b8a456d39854abfe287c86

  • SHA1

    e4c46f8e5d7eceeaab88591c75fb55c8c52b963c

  • SHA256

    c1a40dbca9d28ac760447f501d812b82312be281ee699fdcc4a6a543077caa3d

  • SHA512

    f122ce0ee0daa496fc5714f8e7f0cdffa590877e16a3aba4980afbf9007942264b0ca71de16af81a188e089ffcb39f1ffaf75d0b635ac1b662ff424661f297ee

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.fun4gang.xyz/thg/

Decoy

retrospectphotographydesign.com

jafodraws.com

cigiwie.space

upgradecarehealth.com

12ts.xyz

111indianbend.com

qqchbakery.com

0831xx.com

supecret.com

ayfadopple.com

coldwateradvisors.com

forexgiftcard.com

actionconsultingchile.com

mpsconcrete.net

carmallc.com

b167888.com

simonking.xyz

elitedigitalperformance.com

essentialjanitorialservices.com

barcosocasionberga.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe
    "C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:4704
    • C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe
      "C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:3544
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Requirement of Sonic Tube 50 mm.exe"
        3⤵
          PID:1864

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • \Users\Admin\AppData\Local\Temp\nlpbha0c.dll
      MD5

      34d8148a0d0b33fdfe9f89c44c8707ec

      SHA1

      265339396a2cd3eaf6bf402b6efd71b26a53714b

      SHA256

      de162165c56d9255db512fe5be1231dd314be01601ffdd0b41c99999acfc1927

      SHA512

      19aa24537ceacd879c09147a3efa9a30fc54a1bcbe2b8ec7c06c8707fb74ebd7402fef5345f612672d7b1b9d24be66ae9eff844b1fa6538453124749b8ce5738

      Download Submit
    • \Users\Admin\AppData\Local\Temp\nsl556A.tmp\System.dll
      MD5

      fccff8cb7a1067e23fd2e2b63971a8e1

      SHA1

      30e2a9e137c1223a78a0f7b0bf96a1c361976d91

      SHA256

      6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

      SHA512

      f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

      Download Submit
    • memory/1864-12-0x0000000000000000-mapping.dmp
      Download
    • memory/2092-16-0x0000000004DC0000-0x0000000004E53000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2092-15-0x0000000004F60000-0x0000000005280000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2092-13-0x0000000001250000-0x000000000168F000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/2092-14-0x0000000000990000-0x00000000009BE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2092-11-0x0000000000000000-mapping.dmp
      Download
    • memory/2896-10-0x00000000053B0000-0x00000000054EB000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2896-8-0x0000000002B60000-0x0000000002C2A000-memory.dmp
      Filesize

      808KB

      Download
    • memory/2896-18-0x00000000054F0000-0x000000000558F000-memory.dmp
      Filesize

      636KB

      Download
    • memory/3544-9-0x0000000000550000-0x0000000000564000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3544-7-0x0000000000A80000-0x0000000000DA0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3544-5-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3544-6-0x0000000000510000-0x0000000000524000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3544-4-0x000000000041EAE0-mapping.dmp
      Download