Overview

overview

10

Static

static

1

dd1b454578...06.exe

windows7_x64

10

dd1b454578...06.exe

windows10_x64

10

Analysis

  • max time kernel
    6s
  • max time network
    14s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    05-05-2021 13:32

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dd1b4545786b29ca6a8f193e48055d06.exe

  • Size

    228KB

  • MD5

    dd1b4545786b29ca6a8f193e48055d06

  • SHA1

    292b3f6cdf438ff33667c4160be9016e32187af2

  • SHA256

    f88dc07bd8d9ecaabaaad76a092029221077b4eba8d67714dc750b15a59d74f3

  • SHA512

    74d06fe3bef055508c4a4233093989c573fc24f1761fc425a530678c78ba1988f38270190037479a396737e6f87461214f9a33c8b4cdd6bdc19de92a11e6e80c

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.shoprodeovegas.com/xcl/

Decoy

sewingtherose.com

thesmartshareholder.com

afasyah.com

marolamusic.com

lookupgeorgina.com

plataforyou.com

dijcan.com

pawtyparcels.com

interprediction.com

fairerfinancehackathon.net

thehmnshop.com

jocelynlopez.com

launcheffecthouston.com

joyeveryminute.com

spyforu.com

ronerasanjuan.com

gadgetsdesi.com

nmrconsultants.com

travellpod.com

ballparksportscards.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: MapViewOfSection 1 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe
    "C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:1096
    • C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe
      "C:\Users\Admin\AppData\Local\Temp\dd1b4545786b29ca6a8f193e48055d06.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1128

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsi78DA.tmp\e8y8qnxvyff.dll
    MD5

    6496d9ed92ba627e38ed23b4bceedf45

    SHA1

    64dbc80a0ad75af5eda9136c6e7ccaeba22eb8c2

    SHA256

    e59cfc7619e0f202c0bd6f132ca988f2f7f6dc302d885d1ab2d66b04e356ff0a

    SHA512

    b0079f519883f02c9b5e0389e5c48864a913f0f5f0171fa681d305a24414f08ac7d5023026c432b96312e41f7481260eeba6952bfb5d63d3fdd40bef6613948d

    Download Submit

  • memory/1096-60-0x0000000075DA1000-0x0000000075DA3000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1096-62-0x0000000001D90000-0x0000000001D92000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1128-63-0x000000000041EB70-mapping.dmp

    Download

  • memory/1128-64-0x0000000000400000-0x000000000042E000-memory.dmp

    Filesize

    184KB

    Download

  • memory/1128-65-0x0000000000800000-0x0000000000B03000-memory.dmp

    Filesize

    3.0MB

    Download