Overview

overview

10

Static

static

Bookibg Co...df.exe

windows7_x64

10

Bookibg Co...df.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    27-02-2021 07:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Bookibg Confirmation_Pdf.exe

  • Size

    792KB

  • MD5

    f8ebfd07c19a299ac8da762992a3c36b

  • SHA1

    7ef77d36b5bc3ab145d6482396c9d73500083859

  • SHA256

    929a7bad454fe91b472f3cf802633eaab7c4673e55a9dc03ff820cedf8309251

  • SHA512

    5f0b71f880408f306ea267098f46b340538cf4529d9c8c2838694eef9047410bf0bbed1f2f11c5addf50eb94eb0029db87eb8730349d1a5b63603e06ab61ac2f

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

C2

http://www.workonlinetimallen.com/dll/

Decoy

nyeconcreations.com

generar-k.com

refugiodelmate.com

elementclubhouse.com

freescorrs.xyz

tonesweettone.com

lojachicco.com

cyberxchange.net

strobelsolutions.com

tipsytravelerbar.com

shesheofnewyork.com

jdallmed.com

woefys.online

naviwatch.net

yuelvzuche.com

thehoneysuppliers.site

smokindeebflavors.com

preventvaccins.com

thepraisehouse.com

lgbtpridedirectory.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2828
    • C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe"
        3⤵
          PID:508
        • C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2756
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:748
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\Bookibg Confirmation_Pdf.exe"
          3⤵
            PID:740

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/740-22-0x0000000000000000-mapping.dmp
        Download
      • memory/748-19-0x0000000000000000-mapping.dmp
        Download
      • memory/748-25-0x0000000004D10000-0x0000000004DA3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/748-23-0x0000000004ED0000-0x00000000051F0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/748-20-0x0000000001270000-0x0000000001297000-memory.dmp
        Filesize

        156KB

        Download
      • memory/748-21-0x0000000000D30000-0x0000000000D5E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2604-8-0x0000000007440000-0x0000000007441000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-2-0x0000000073940000-0x000000007402E000-memory.dmp
        Filesize

        6.9MB

        Download
      • memory/2604-11-0x000000000AA40000-0x000000000AA43000-memory.dmp
        Filesize

        12KB

        Download
      • memory/2604-12-0x00000000090D0000-0x0000000009124000-memory.dmp
        Filesize

        336KB

        Download
      • memory/2604-10-0x0000000007650000-0x0000000007651000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-3-0x00000000005F0000-0x00000000005F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-5-0x0000000007390000-0x0000000007391000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-6-0x0000000007930000-0x0000000007931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-7-0x00000000074D0000-0x00000000074D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2604-9-0x00000000076C0000-0x00000000076C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2756-13-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/2756-17-0x0000000001710000-0x0000000001724000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2756-16-0x00000000017B0000-0x0000000001AD0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2756-14-0x000000000041EBD0-mapping.dmp
        Download
      • memory/2828-18-0x00000000058B0000-0x00000000059EC000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/2828-26-0x0000000003280000-0x0000000003343000-memory.dmp
        Filesize

        780KB

        Download