Overview

overview

10

Static

static

MAERSK Boo...df.exe

windows7_x64

10

MAERSK Boo...df.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    26-02-2021 07:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    MAERSK Booking Confirmation_Pdf.exe

  • Size

    498KB

  • MD5

    90277a5bab7cc82507c6c23244ac1507

  • SHA1

    1500a32d309247c7d91b6930be4e6ba3849740c4

  • SHA256

    528006e667ab91fe8d56f0207c97cdb763c0a9386abb1ab16746add4e7efdef8

  • SHA512

    aa2b5674a3ab9240950ca6adbddfc7d2c5e3278d261ee9aed153d96d8deb4c6c4ca1a6ff8586b124250f03e8453537dcd2fc8be53d3f7930c90d1e98d0662af1

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.workonlinetimallen.com/dll/

Decoy

nyeconcreations.com

generar-k.com

refugiodelmate.com

elementclubhouse.com

freescorrs.xyz

tonesweettone.com

lojachicco.com

cyberxchange.net

strobelsolutions.com

tipsytravelerbar.com

shesheofnewyork.com

jdallmed.com

woefys.online

naviwatch.net

yuelvzuche.com

thehoneysuppliers.site

smokindeebflavors.com

preventvaccins.com

thepraisehouse.com

lgbtpridedirectory.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1636
      • C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:440
    • C:\Windows\system32\NOTEPAD.EXE
      "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\SuspendMove.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1052
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1356
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\MAERSK Booking Confirmation_Pdf.exe"
        3⤵
        • Deletes itself
        PID:688

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/400-8-0x000007FEF6380000-0x000007FEF65FA000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/440-10-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/440-13-0x0000000000970000-0x0000000000C73000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/440-14-0x00000000001D0000-0x00000000001E4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/440-11-0x000000000041EBD0-mapping.dmp
    Download
  • memory/688-17-0x0000000000000000-mapping.dmp
    Download
  • memory/1052-7-0x000007FEFBEC1000-0x000007FEFBEC3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1192-15-0x0000000007670000-0x0000000007806000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1192-22-0x0000000004160000-0x0000000004213000-memory.dmp
    Filesize

    716KB

    Download
  • memory/1356-16-0x0000000000000000-mapping.dmp
    Download
  • memory/1356-18-0x0000000000860000-0x000000000086D000-memory.dmp
    Filesize

    52KB

    Download
  • memory/1356-19-0x0000000000100000-0x000000000012E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1356-20-0x0000000001F40000-0x0000000002243000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1356-21-0x0000000001D10000-0x0000000001DA3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1636-9-0x0000000004E30000-0x0000000004E84000-memory.dmp
    Filesize

    336KB

    Download
  • memory/1636-2-0x00000000746F0000-0x0000000074DDE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/1636-6-0x0000000000350000-0x0000000000353000-memory.dmp
    Filesize

    12KB

    Download
  • memory/1636-5-0x0000000004CF0000-0x0000000004CF1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1636-3-0x0000000000120000-0x0000000000121000-memory.dmp
    Filesize

    4KB

    Download