Overview

overview

10

Static

static

NEW ORDER ...85.exe

windows7_x64

10

NEW ORDER ...85.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    124s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-04-2021 06:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW ORDER ELO-05756485.exe

  • Size

    528KB

  • MD5

    ef847f9fc2339b9470150fef1105b5fe

  • SHA1

    eb9b2c97525c2b167d1ae4bdeba308f1c4d9206d

  • SHA256

    9e54241184e45b1950037313896e0d2e864cc9d373f5a2f14b0af405094fd1a4

  • SHA512

    ea26bb55d9d79ca887b184b71746328e65b06b24d701d7856f6f416a1fc93f750580b68a8204b30eb94dabc9e899e4baf4358f23ef5ce7ea23308369b5be4c10

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.dingolope.com/riai/

Decoy

856380892.xyz

goproteinz.com

girigratis.com

4schwuleautoren.com

artofwrestlingicons.com

miles4moms.com

tamiigun.com

noritamoneyconsultants.net

blacklionllc.net

elevictory.com

happinessmail.com

thymocide.net

123goimmo.com

advocate4deaf.com

lovelyforum.net

rentlondonapartment.com

weinsureplanes.com

tagfqjxf.icu

thewellbeingsutra.com

enibo-official.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3016
    • C:\Users\Admin\AppData\Local\Temp\NEW ORDER ELO-05756485.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW ORDER ELO-05756485.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Users\Admin\AppData\Local\Temp\NEW ORDER ELO-05756485.exe
        "C:\Users\Admin\AppData\Local\Temp\NEW ORDER ELO-05756485.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1404
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3288
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER ELO-05756485.exe"
        3⤵
          PID:1172

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/540-13-0x0000000000F00000-0x0000000000F75000-memory.dmp
      Filesize

      468KB

      Download
    • memory/540-3-0x00000000006D0000-0x00000000006D1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-2-0x0000000073520000-0x0000000073C0E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/540-6-0x0000000005670000-0x0000000005671000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-7-0x0000000005210000-0x0000000005211000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-8-0x0000000005370000-0x0000000005371000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-9-0x0000000005140000-0x0000000005141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-10-0x0000000005380000-0x0000000005381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-11-0x000000007F640000-0x000000007F641000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-14-0x0000000000F80000-0x0000000000FB3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/540-5-0x0000000005050000-0x0000000005051000-memory.dmp
      Filesize

      4KB

      Download
    • memory/540-12-0x0000000007680000-0x0000000007684000-memory.dmp
      Filesize

      16KB

      Download
    • memory/1172-22-0x0000000000000000-mapping.dmp
      Download
    • memory/1404-18-0x0000000000EF0000-0x0000000001210000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1404-19-0x0000000000980000-0x0000000000994000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1404-16-0x000000000041ED30-mapping.dmp
      Download
    • memory/1404-15-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3016-20-0x00000000062D0000-0x00000000063D2000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/3288-21-0x0000000000000000-mapping.dmp
      Download
    • memory/3288-26-0x0000000005050000-0x00000000050E3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3288-24-0x0000000000D60000-0x0000000000D8E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3288-23-0x0000000001260000-0x0000000001287000-memory.dmp
      Filesize

      156KB

      Download
    • memory/3288-25-0x00000000052E0000-0x0000000005600000-memory.dmp
      Filesize

      3.1MB

      Download