Overview

overview

10

Static

static

PO#560.zip.exe

windows7_x64

10

PO#560.zip.exe

windows10_x64

10

Analysis

  • max time kernel
    146s
  • max time network
    11s
  • platform
    windows7_x64
  • resource
    win7v20201028
  • submitted
    08-04-2021 06:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#560.zip.exe

  • Size

    913KB

  • MD5

    225f5938273f006356fd813e46e3fcef

  • SHA1

    347cd34fd095ae8f843ee436dde5043bba8fb192

  • SHA256

    69a395d24a3536ef7698ae036596bed55856d4777356946f498faec3f1395f8d

  • SHA512

    a6b9d13ea56e7e22abb484de6c4d5b53b7dc645e23327c9b45d20ce872408d3a9c9c93bdf540e39dd3c4a0206f7fc5008edff5787fad1b2674ebe3e060bbfb9c

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.talllensphotography.com/md5/

Decoy

gnd3.com

thedrata.com

carbeloy.com

impactpittsburg.com

sussage.com

mikespencil.com

ghoshtechno.com

partnermassagetherapy.com

nagago.asia

parkviee.com

kichisanpo.com

awbaviation.com

shopvibeup.com

ab-alamode.com

cash4homesutah.com

funbrushstrokes.com

adeleycar.com

actsbooking.com

rojorodi.icu

fleurdelyscantho.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1248
    • C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe
      "C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2004
      • C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe
        "{path}"
        3⤵
          PID:1608
        • C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe
          "{path}"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1896
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:928
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\PO#560.zip.exe"
          3⤵
          • Deletes itself
          PID:1476

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/928-22-0x0000000001DC0000-0x0000000001E53000-memory.dmp
      Filesize

      588KB

      Download
    • memory/928-21-0x0000000001F00000-0x0000000002203000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/928-19-0x0000000000080000-0x00000000000AE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/928-18-0x0000000000210000-0x0000000000226000-memory.dmp
      Filesize

      88KB

      Download
    • memory/928-17-0x0000000000000000-mapping.dmp
      Download
    • memory/1248-14-0x0000000004F30000-0x0000000005001000-memory.dmp
      Filesize

      836KB

      Download
    • memory/1248-16-0x0000000007220000-0x0000000007390000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/1476-20-0x0000000000000000-mapping.dmp
      Download
    • memory/1896-12-0x00000000008F0000-0x0000000000BF3000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1896-13-0x0000000000140000-0x0000000000154000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1896-15-0x0000000000270000-0x0000000000284000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1896-10-0x000000000041EBA0-mapping.dmp
      Download
    • memory/1896-9-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2004-2-0x0000000074BA0000-0x000000007528E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/2004-8-0x00000000006D0000-0x0000000000737000-memory.dmp
      Filesize

      412KB

      Download
    • memory/2004-7-0x0000000005370000-0x0000000005421000-memory.dmp
      Filesize

      708KB

      Download
    • memory/2004-6-0x00000000004C0000-0x00000000004C5000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2004-5-0x0000000005010000-0x0000000005011000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2004-3-0x0000000000EF0000-0x0000000000EF1000-memory.dmp
      Filesize

      4KB

      Download