Overview

overview

10

Static

static

NEW ORDER ...64.exe

windows7_x64

10

NEW ORDER ...64.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    08-04-2021 07:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    NEW ORDER - BLL04658464.exe

  • Size

    641KB

  • MD5

    c43b615ee95f80f037b142b55decf144

  • SHA1

    1cb557a6198866592dd0644d0561edafae222f06

  • SHA256

    fea4f85475d53bbb39592cb92dc6588948b1dd218e4ac554749ffe1fc26ffc67

  • SHA512

    189590db3368a348bf827f9e46970a64b29d95587dbbab7fbc0a000e51e3f5845bfbf8b8bf3a9a8c57273fce15d68ad9c7704daff2b37daae1b9b69aa7dac674

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bendhighswimming.com/crdi/

Decoy

propertyjumpstartwebinar.com

boc-vip.club

polestarnyc.com

travelonlinebiz.com

bukovynaent.com

bestfashoin.com

miniindiastore.com

wehatebillgates.com

holmescountyjusticecourt.com

colectivorenovemosjuntos.com

houstowarehouse.com

aocsw.com

sml-uniform.com

bandanasaint.com

petposhdeluxe.com

ezcscpawq.com

ladiesoption.club

refixu.com

selfwrrrth.com

rovietry.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2956
    • C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe
      "C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4636
      • C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe
        "C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3824
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4168
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\NEW ORDER - BLL04658464.exe"
        3⤵
          PID:4068

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2956-28-0x00000000024E0000-0x000000000258E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/2956-21-0x0000000000680000-0x000000000074E000-memory.dmp
      Filesize

      824KB

      Download
    • memory/3824-15-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3824-20-0x0000000001360000-0x0000000001374000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3824-19-0x0000000001400000-0x0000000001720000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3824-16-0x000000000041ED20-mapping.dmp
      Download
    • memory/4068-26-0x0000000000000000-mapping.dmp
      Download
    • memory/4168-23-0x0000000001010000-0x000000000101B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/4168-22-0x0000000000000000-mapping.dmp
      Download
    • memory/4168-27-0x00000000009B0000-0x0000000000A43000-memory.dmp
      Filesize

      588KB

      Download
    • memory/4168-25-0x0000000000AA0000-0x0000000000DC0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4168-24-0x0000000000150000-0x000000000017E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/4636-10-0x00000000054F0000-0x00000000054F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-9-0x0000000005400000-0x0000000005401000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-8-0x0000000005200000-0x0000000005201000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-7-0x00000000052A0000-0x00000000052A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-6-0x0000000005700000-0x0000000005701000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-11-0x00000000089A0000-0x00000000089A4000-memory.dmp
      Filesize

      16KB

      Download
    • memory/4636-2-0x0000000073D60000-0x000000007444E000-memory.dmp
      Filesize

      6.9MB

      Download
    • memory/4636-14-0x0000000007040000-0x0000000007073000-memory.dmp
      Filesize

      204KB

      Download
    • memory/4636-13-0x0000000001010000-0x0000000001088000-memory.dmp
      Filesize

      480KB

      Download
    • memory/4636-5-0x0000000005160000-0x0000000005161000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-12-0x000000007FD00000-0x000000007FD01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/4636-3-0x0000000000890000-0x0000000000891000-memory.dmp
      Filesize

      4KB

      Download