Overview

overview

10

Static

static

b57d3c5864...in.exe

windows7_x64

10

b57d3c5864...in.exe

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    120s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 14:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe

  • Size

    717KB

  • MD5

    321c5fea0e0a4d9852c33ccb63ac6223

  • SHA1

    f89fc9d8aa077928f712e2d32cee177d5210fb5b

  • SHA256

    b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475

  • SHA512

    c25bae3b77ed2e4c730a4e44878151c687b5802767f18e8ea2f252588e4cc8fa3ceb0f74891c0296afae8ed4442447a3822ebf98b40518e5d9d37135f3ae0370

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.glittergalsboutique.com/8buc/

Decoy

affiliatetraining101.com

sun5new.com

localstuffunlimited.store

getmrn.com

nipandtucknurse.com

companycreater.com

painfullyperfect.com

3dmobilemammo.com

theredbeegroup.net

loochaan.com

alanoliveiramkt.com

lxwzsh.com

twobookramblers.com

cscardinalmalula.net

hanarzr.com

sabaicp.com

foodprocessmedia.com

tirongroup.com

dcentralizedcloud.com

xn--80abnkzb2a.xn--p1acf

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3176
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3464
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gwTHhfiXU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2108
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gwTHhfiXU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpC9C9.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:3888
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gwTHhfiXU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1140
    • C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1216

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    dc49f65d8ef5022d0f0346cf4c841bca

    SHA1

    13cfcebe4f1d215796a8f4b0d64700570faaea5b

    SHA256

    d4a1fda01143efc4ede558d1ec96098b5f8728d455bfda6d000dd699844d32d0

    SHA512

    34b7927447e3983a331033bb933b4a2f37b50e94d21a8e99bdfcb8c25438707fa2a37ba425dd7d6ec34ac492b2d162c81cd87baffc4ed6fb6fc117bd62e48ba6

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    0737cc5a19a652b671810745e3d17087

    SHA1

    4e2bc7d3aceefa48bef33b28326074e7b5fc2892

    SHA256

    bf75569e77184aed5a8eae721adb7ea3c0f1b94c765bded0466e53897aa1c50c

    SHA512

    841db2668df7cd822941e622e05d13d7eb98e7baf210ac49deebdd0459187e068570ca5fd26f8c27cfd1cd8b4d7431e33b53cc42782ba1ca28e7d10c4370cb15

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpC9C9.tmp
    MD5

    38bcd3293a24af9c9851c00e647ea4c7

    SHA1

    47ec3ba74095e4d894ee3a0e41e74ecd2adbbc52

    SHA256

    dca27fcdc70329c8b0ef92a5b1039f363efd2679dca006d57dd9901f2e09317a

    SHA512

    a0d49b4689513d536fa537048aacc368e41ded452da46098bd7e1a480c16d0d93c1f5cc23cc7d255ba0967876f774460182825bd14fafa4bd02e3c38c8575469

    Download Submit
  • memory/1140-160-0x0000000007102000-0x0000000007103000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1140-159-0x0000000007100000-0x0000000007101000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1140-195-0x000000007EAD0000-0x000000007EAD1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1140-137-0x0000000000000000-mapping.dmp
    Download
  • memory/1140-198-0x0000000007103000-0x0000000007104000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1216-161-0x0000000001190000-0x00000000014B0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/1216-141-0x000000000041ED80-mapping.dmp
    Download
  • memory/1216-139-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/2108-168-0x00000000082C0000-0x00000000082C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2108-194-0x000000007E460000-0x000000007E461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2108-196-0x0000000004723000-0x0000000004724000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2108-126-0x0000000000000000-mapping.dmp
    Download
  • memory/2108-156-0x0000000004720000-0x0000000004721000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2108-157-0x0000000004722000-0x0000000004723000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2108-146-0x0000000007B80000-0x0000000007B81000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2108-162-0x0000000007A60000-0x0000000007A61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3176-122-0x0000000000F70000-0x0000000000FD3000-memory.dmp
    Filesize

    396KB

    Download
  • memory/3176-119-0x0000000002A70000-0x0000000002A7E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3176-120-0x00000000059A0000-0x00000000059A1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3176-121-0x0000000005800000-0x00000000058A7000-memory.dmp
    Filesize

    668KB

    Download
  • memory/3176-118-0x00000000010D0000-0x00000000010D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3176-114-0x0000000000660000-0x0000000000661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3176-117-0x0000000005180000-0x0000000005181000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3176-116-0x00000000050E0000-0x00000000050E1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-127-0x0000000006D40000-0x0000000006D41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-164-0x0000000008710000-0x0000000008711000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-144-0x0000000007AE0000-0x0000000007AE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-186-0x00000000092C0000-0x00000000092F3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3464-193-0x000000007F560000-0x000000007F561000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-138-0x0000000007340000-0x0000000007341000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-142-0x0000000007A70000-0x0000000007A71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-131-0x0000000006D90000-0x0000000006D91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-197-0x0000000006D93000-0x0000000006D94000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-132-0x0000000006D92000-0x0000000006D93000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-128-0x00000000073D0000-0x00000000073D1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3464-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3888-129-0x0000000000000000-mapping.dmp
    Download