Overview

overview

10

Static

static

CONT NO DF...st.exe

windows7_x64

10

CONT NO DF...st.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    141s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    26-02-2021 16:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CONT NO DFSU125310 products list.exe

  • Size

    1.0MB

  • MD5

    5a92c96663ac34dd87d73e789c27f610

  • SHA1

    46e21943df04f53eb175007c4bff3040619ae50b

  • SHA256

    9f38ade8e53d28eef33a81e0559b92b44fa878ae9b61fadd3bb245d33486e2c0

  • SHA512

    1bfb7176c5e9eeb2103a36760137fbe773d8b3170842e8e1e92a3b4629b140f93b4804a0198732a71924e0f4514325575310986e8b41805f860f844d01f1ca8a

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.discorddeno.land/suod/

Decoy

casirivimab.info

johnvogia.com

lzdafang.com

tarihmarketi.com

singalongpress.com

three60farms.com

websky.pro

jacketsmecca.com

magentos6.com

brooksideseniorapts.com

onewhistleandflags.com

naturopathe-valdoise-france.com

reflexmem.com

kurumsalpanel.com

bhuwarecruitment.com

exponentialhealth.online

posttensionrepairs.com

prbrokerllc.com

aashealthcarestaffing.com

pubgeventcenter.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe
      "C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe
        "C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1524
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\CONT NO DFSU125310 products list.exe"
        3⤵
          PID:1128

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1052-3-0x0000000000A90000-0x0000000000A91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-5-0x0000000005440000-0x0000000005441000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-6-0x00000000059E0000-0x00000000059E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-7-0x00000000054E0000-0x00000000054E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-8-0x0000000005630000-0x0000000005631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-9-0x00000000053B0000-0x00000000053B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-10-0x0000000005730000-0x0000000005731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1052-11-0x00000000053D0000-0x00000000053D3000-memory.dmp

      Filesize

      12KB

      Download

    • memory/1052-12-0x0000000006060000-0x00000000060B4000-memory.dmp

      Filesize

      336KB

      Download

    • memory/1052-2-0x0000000073BE0000-0x00000000742CE000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/1128-22-0x0000000000000000-mapping.dmp

      Download

    • memory/1524-13-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1524-16-0x0000000001900000-0x0000000001C20000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1524-17-0x0000000001430000-0x0000000001444000-memory.dmp

      Filesize

      80KB

      Download

    • memory/1524-14-0x000000000041ED90-mapping.dmp

      Download

    • memory/1528-19-0x0000000000000000-mapping.dmp

      Download

    • memory/1528-20-0x0000000000C80000-0x0000000000C8B000-memory.dmp

      Filesize

      44KB

      Download

    • memory/1528-21-0x00000000030B0000-0x00000000030DE000-memory.dmp

      Filesize

      184KB

      Download

    • memory/1528-23-0x00000000037A0000-0x0000000003AC0000-memory.dmp

      Filesize

      3.1MB

      Download

    • memory/1528-24-0x0000000003AC0000-0x0000000003B53000-memory.dmp

      Filesize

      588KB

      Download

    • memory/3040-18-0x0000000002FB0000-0x00000000030AA000-memory.dmp

      Filesize

      1000KB

      Download

    • memory/3040-25-0x0000000001030000-0x00000000010E8000-memory.dmp

      Filesize

      736KB

      Download