Overview

overview

10

Static

static

Purchase O...27.exe

windows7_x64

10

Purchase O...27.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    09-05-2021 15:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Purchase Order-070POR044127.exe

  • Size

    970KB

  • MD5

    15777f1f1c6b81ea03eb9f14c3a77f68

  • SHA1

    1664e98460e60a7399d393c9df24aa5435f9e251

  • SHA256

    1012fd502b2b0f81c21293efaf6b1f012693dc485690e4b8dda25dfa4c7538d9

  • SHA512

    54e7d77fc74ce5f5331a4e1f373b9bbd4dc8dc4ffc9ec3b62f9a321535d699209956dd13d3907e0609c54410e19deddbacec1f78f02cfa80eb6788c1de99e8c7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 44 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe
      "C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:624
      • C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3384
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2292
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Purchase Order-070POR044127.exe"
        3⤵
          PID:2768

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/624-123-0x000000000B390000-0x000000000B3D0000-memory.dmp
      Filesize

      256KB

      Download
    • memory/624-114-0x0000000000920000-0x0000000000921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-117-0x0000000005420000-0x0000000005421000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-118-0x0000000005310000-0x00000000053A2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/624-122-0x0000000008C10000-0x0000000008C9D000-memory.dmp
      Filesize

      564KB

      Download
    • memory/624-120-0x00000000089F0000-0x00000000089F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-116-0x0000000005920000-0x0000000005921000-memory.dmp
      Filesize

      4KB

      Download
    • memory/624-121-0x0000000005900000-0x000000000590E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/624-119-0x00000000053A0000-0x00000000053A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2292-133-0x00000000001B0000-0x00000000001DE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2292-135-0x00000000046A0000-0x0000000004733000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2292-134-0x0000000004930000-0x0000000004C50000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2292-132-0x00000000009C0000-0x0000000000DFF000-memory.dmp
      Filesize

      4.2MB

      Download
    • memory/2292-130-0x0000000000000000-mapping.dmp
      Download
    • memory/2708-129-0x0000000004EC0000-0x0000000004FCD000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2708-136-0x0000000004FD0000-0x0000000005117000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2768-131-0x0000000000000000-mapping.dmp
      Download
    • memory/3384-128-0x0000000000B00000-0x0000000000C4A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3384-127-0x00000000010C0000-0x00000000013E0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3384-125-0x000000000041EBA0-mapping.dmp
      Download
    • memory/3384-124-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download