Overview

overview

10

Static

static

1

Shipment D...pg.exe

windows7_x64

10

Shipment D...pg.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    19-04-2021 19:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Shipment Document BL,INV and packing list.jpg.exe

  • Size

    231KB

  • MD5

    50456fb9b8f0806b76ffd072a5bb70f2

  • SHA1

    ec8e584acd7b5153cf50d9c338b002666e7f85d8

  • SHA256

    aca4e7d8bc5a58300b0945187c084f6c2c44418133ffb36adfb08e25d285de82

  • SHA512

    42c006d277fb4526f56523fb8fb415f7f00e66fe165cbedac2af399a9cabd01c572b76a3706daac292dc5b64e0abcfe8d6f6a5744cba5295f1abc7d3eda00fe9

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.localmarketingaiagency.com/pgr/

Decoy

rhymewitnessnews.com

z1seven.com

quaidon.com

spruiodes.com

leanderpumpkinpatch.com

starfood-eg.com

americanrestorationreport.net

myonyxfoundation.com

adcvea.com

theassociationconsultant.com

snaparama.com

ukajp.com

guarfianlife.com

e-dourouss.com

beflybmx.com

ceoesalamanca.com

myoxx.com

maxwatertreatment.com

maskelicious.com

aditridental.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Deletes itself 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1208
    • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
      "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1820
      • C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe
        "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1200
    • C:\Windows\SysWOW64\wscript.exe
      "C:\Windows\SysWOW64\wscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1256
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Shipment Document BL,INV and packing list.jpg.exe"
        3⤵
        • Deletes itself
        PID:1688

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsi6B72.tmp\juukqoeba.dll
    MD5

    c96e0db05235eda2de5a1bb8b15c22e5

    SHA1

    41cd64af5c4da417b6acdc6e0bf6af432085c6b8

    SHA256

    2802bba60b65fae0c3d480971e8e03adc8a97bacc4688f9d3943073592fc2b8f

    SHA512

    bede0119c47e15c4dfc9c4d0d27496d2f72fe2a160cf403002644e1fb000e57bee28fe303fdbfa40ee08cb21407c292628dbb14ce190e05a291f6f1aada9b75f

    Download Submit

  • memory/1200-67-0x00000000002C0000-0x00000000002D4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1200-64-0x000000000041EBA0-mapping.dmp

    Download

  • memory/1200-65-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1200-66-0x0000000000930000-0x0000000000C33000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1208-68-0x0000000006C20000-0x0000000006D43000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/1208-75-0x0000000004D00000-0x0000000004DD4000-memory.dmp

    Filesize

    848KB

    Download

  • memory/1256-69-0x0000000000000000-mapping.dmp

    Download

  • memory/1256-71-0x00000000002C0000-0x00000000002E6000-memory.dmp

    Filesize

    152KB

    Download

  • memory/1256-72-0x0000000000070000-0x000000000009E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1256-73-0x0000000002050000-0x0000000002353000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/1256-74-0x0000000001D80000-0x0000000001E13000-memory.dmp

    Filesize

    588KB

    Download

  • memory/1688-70-0x0000000000000000-mapping.dmp

    Download

  • memory/1820-62-0x0000000002550000-0x000000000319A000-memory.dmp

    Filesize

    12.3MB

    Download

  • memory/1820-60-0x0000000076641000-0x0000000076643000-memory.dmp

    Filesize

    8KB

    Download