Overview

overview

10

Static

static

Confirm!!!.exe

windows7_x64

10

Confirm!!!.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    09-05-2021 09:18

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Confirm!!!.exe

  • Size

    1.1MB

  • MD5

    7afd3b350ea6451b47be2058c07365de

  • SHA1

    8186d625b6f406d71a27aa8ef51f52902c5c26f0

  • SHA256

    540021aa05d8985bf6eca783d86cdada2727b5ed0b1a943cb9cdfb224a4e50f1

  • SHA512

    02a7ec42b3d9c9f6e6b1538406b08fccd1a661c05d62b89a211443bad25acf520d78711906009f1215647971e6d7e8a65fddbe06efcc32c438e0b7e8b53d34d1

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.deuxus.com/t052/

Decoy

ladybug-learning.com

unforgottenstory.com

oldmopaiv.xyz

natashaexim.com

hannahmcelgunn.com

retargetingmachines.info

njoconline.com

unicornlankadelivery.com

giftkerala.com

englishfordoctors.online

schatzilandrvresort.com

brujoisaac.com

basiccampinggear.com

escapees.today

dgyxsy888.com

stevebana.xyz

mimozakebap.com

ezdoff.com

pluumyspalace.com

shaoshanshan.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2428
    • C:\Users\Admin\AppData\Local\Temp\Confirm!!!.exe
      "C:\Users\Admin\AppData\Local\Temp\Confirm!!!.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:640
      • C:\Users\Admin\AppData\Local\Temp\Confirm!!!.exe
        "C:\Users\Admin\AppData\Local\Temp\Confirm!!!.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2596
    • C:\Windows\SysWOW64\chkdsk.exe
      "C:\Windows\SysWOW64\chkdsk.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1504
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Confirm!!!.exe"
        3⤵
          PID:3244

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/640-114-0x0000000000380000-0x0000000000381000-memory.dmp
      Filesize

      4KB

      Download
    • memory/640-116-0x0000000004D00000-0x0000000004D01000-memory.dmp
      Filesize

      4KB

      Download
    • memory/640-117-0x00000000052A0000-0x00000000052A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/640-118-0x0000000004DA0000-0x0000000004DA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/640-119-0x0000000004DA0000-0x000000000529E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/640-120-0x0000000004CD0000-0x0000000004CD1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/640-121-0x0000000004FB0000-0x0000000004FB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/640-122-0x0000000007210000-0x000000000721E000-memory.dmp
      Filesize

      56KB

      Download
    • memory/640-123-0x0000000000CF0000-0x0000000000D6D000-memory.dmp
      Filesize

      500KB

      Download
    • memory/640-124-0x0000000009700000-0x0000000009738000-memory.dmp
      Filesize

      224KB

      Download
    • memory/1504-131-0x0000000000000000-mapping.dmp
      Download
    • memory/1504-134-0x00000000006A0000-0x00000000006CE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1504-133-0x00000000008D0000-0x00000000008DA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1504-135-0x0000000004D60000-0x0000000005080000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1504-136-0x0000000004AC0000-0x0000000004B53000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2428-130-0x00000000064E0000-0x00000000065E3000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2428-137-0x00000000049F0000-0x0000000004B30000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2596-126-0x000000000041ECC0-mapping.dmp
      Download
    • memory/2596-128-0x0000000001240000-0x0000000001560000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2596-129-0x0000000001140000-0x0000000001154000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2596-125-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3244-132-0x0000000000000000-mapping.dmp
      Download