Overview

overview

10

Static

static

b57d3c5864...in.exe

windows7_x64

10

b57d3c5864...in.exe

windows10_x64

10

Analysis

  • max time kernel
    130s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    05-05-2021 15:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe

  • Size

    717KB

  • MD5

    321c5fea0e0a4d9852c33ccb63ac6223

  • SHA1

    f89fc9d8aa077928f712e2d32cee177d5210fb5b

  • SHA256

    b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475

  • SHA512

    c25bae3b77ed2e4c730a4e44878151c687b5802767f18e8ea2f252588e4cc8fa3ceb0f74891c0296afae8ed4442447a3822ebf98b40518e5d9d37135f3ae0370

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.glittergalsboutique.com/8buc/

Decoy

affiliatetraining101.com

sun5new.com

localstuffunlimited.store

getmrn.com

nipandtucknurse.com

companycreater.com

painfullyperfect.com

3dmobilemammo.com

theredbeegroup.net

loochaan.com

alanoliveiramkt.com

lxwzsh.com

twobookramblers.com

cscardinalmalula.net

hanarzr.com

sabaicp.com

foodprocessmedia.com

tirongroup.com

dcentralizedcloud.com

xn--80abnkzb2a.xn--p1acf

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe
    "C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3680
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3432
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gwTHhfiXU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:748
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\gwTHhfiXU" /XML "C:\Users\Admin\AppData\Local\Temp\tmpED4F.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:384
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\gwTHhfiXU.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3056
    • C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\b57d3c5864e097f7de38ab9acce31c5d8f8c7619026c075592c2ca8e24078475.bin.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:2728

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
    MD5

    1c19c16e21c97ed42d5beabc93391fc5

    SHA1

    8ad83f8e0b3acf8dfbbf87931e41f0d664c4df68

    SHA256

    1bcd97396c83babfe6c5068ba590d7a3f8b70e72955a9d1e4070648e404cbf05

    SHA512

    7d18776d8f649b3d29c182ff03efc6cea8b527542ee55304980f24577aae8b64e37044407776e220984346c3998ace5f8853afa58c8b38407482a728e9495e0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    6a012644d6a81d88df890c19b5b56cc1

    SHA1

    2a49bcd298a036cd50bdbbf92a60243b17325f64

    SHA256

    b247d21c073bde6827946ac6b118214ce4672862d7c49ca1e96b6008e48f5454

    SHA512

    31839eb51420d5c835c400c6829ba9c6a7a83ff5eac7ca3f87ed8ab1da4b0f6ae6d52f404b54ec90219238b6951bc8b47c6842b80ab40f2d1a0a2d55d359c770

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    MD5

    ee054da9c3d40bf6e89da3f198899e46

    SHA1

    be5741562d93354860e5784d3513625da81c4bdb

    SHA256

    5ef897e80723d53cd853fa7b1cf483bf3e6b3457cb3971685a90825219e14a00

    SHA512

    7818761b387a1f790b66de6623bd486c50b259aa7685db473bd05c111c272d9e0d77f147af492a938ef6f74faf22fc4ea571d8e2d4d12dda185ce0fc77cf65c7

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\tmpED4F.tmp
    MD5

    38bcd3293a24af9c9851c00e647ea4c7

    SHA1

    47ec3ba74095e4d894ee3a0e41e74ecd2adbbc52

    SHA256

    dca27fcdc70329c8b0ef92a5b1039f363efd2679dca006d57dd9901f2e09317a

    SHA512

    a0d49b4689513d536fa537048aacc368e41ded452da46098bd7e1a480c16d0d93c1f5cc23cc7d255ba0967876f774460182825bd14fafa4bd02e3c38c8575469

    Download Submit
  • memory/384-126-0x0000000000000000-mapping.dmp
    Download
  • memory/748-168-0x0000000007E60000-0x0000000007E61000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-198-0x0000000006A93000-0x0000000006A94000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-195-0x000000007E8C0000-0x000000007E8C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-158-0x0000000006A92000-0x0000000006A93000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-124-0x0000000000000000-mapping.dmp
    Download
  • memory/748-156-0x0000000006A90000-0x0000000006A91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-144-0x0000000006F10000-0x0000000006F11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/748-140-0x0000000006C90000-0x0000000006C91000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2728-137-0x000000000041ED80-mapping.dmp
    Download
  • memory/2728-153-0x0000000000ED0000-0x00000000011F0000-memory.dmp
    Filesize

    3.1MB

    Download
  • memory/2728-136-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/3056-135-0x0000000000000000-mapping.dmp
    Download
  • memory/3056-160-0x0000000004680000-0x0000000004681000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3056-197-0x0000000004683000-0x0000000004684000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3056-193-0x000000007EF30000-0x000000007EF31000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3056-188-0x0000000008EC0000-0x0000000008EF3000-memory.dmp
    Filesize

    204KB

    Download
  • memory/3056-161-0x0000000004682000-0x0000000004683000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-165-0x0000000006DE0000-0x0000000006DE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-148-0x0000000007570000-0x0000000007571000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-128-0x0000000006880000-0x0000000006881000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-196-0x0000000006903000-0x0000000006904000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-129-0x0000000006F40000-0x0000000006F41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-151-0x0000000006900000-0x0000000006901000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-162-0x0000000006DC0000-0x0000000006DC1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-123-0x0000000000000000-mapping.dmp
    Download
  • memory/3432-194-0x000000007E2B0000-0x000000007E2B1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-155-0x0000000006902000-0x0000000006903000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3432-146-0x0000000006EA0000-0x0000000006EA1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3680-114-0x0000000000B10000-0x0000000000B11000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3680-121-0x0000000005CD0000-0x0000000005D77000-memory.dmp
    Filesize

    668KB

    Download
  • memory/3680-120-0x0000000005460000-0x0000000005461000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3680-119-0x0000000005EE0000-0x0000000005EE1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3680-122-0x0000000008790000-0x00000000087F3000-memory.dmp
    Filesize

    396KB

    Download
  • memory/3680-118-0x0000000005450000-0x000000000545E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/3680-117-0x0000000005660000-0x0000000005661000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3680-116-0x00000000055C0000-0x00000000055C1000-memory.dmp
    Filesize

    4KB

    Download