Overview

overview

10

Static

static

PL_106104.exe

windows7_x64

10

PL_106104.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    10-05-2021 18:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PL_106104.exe

  • Size

    503KB

  • MD5

    77f1784fa00332d5623aba88277eb8c1

  • SHA1

    248f8ad49c0d3ef5ddbfaa5a8721aa4dc08acdf5

  • SHA256

    7515beb02e1280d143b4716f8919e34fadfc7c806e5a354dc3dcd1dd3318882c

  • SHA512

    28e6d83ed4f71557ad2d6a8c026d4ce57082cc95517aae0f7243aafc3edd5f1db70778a290b62f433fb4a5d31d3d8c9c8f119d45f9e01b8a0d6343e7a3e077c7

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.cornerstonerecruitmentasia.com/nke/

Decoy

igroomed.com

teksoles.com

day7.today

workseap.com

arvinlapid.com

tigerk2.com

serenablackcreatives.com

ladyyougotballs.com

sahnakz.com

farmandranchexchange.com

sentinam.info

slapnmacs.com

healthygut365.com

maximepilorge.com

ishratsvalley.com

peridotalchemy.com

solevux.com

xn--vkc6b6baa6ac1jbwc6l.com

dailyruminant.com

loocalcryptos.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
      "C:\Users\Admin\AppData\Local\Temp\PL_106104.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:540
      • C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
        C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
        3⤵
          PID:1368
        • C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
          C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
          3⤵
            PID:1548
          • C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
            C:\Users\Admin\AppData\Local\Temp\PL_106104.exe
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:1692
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\SysWOW64\cscript.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:332
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\PL_106104.exe"
            3⤵
            • Deletes itself
            PID:640

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/332-75-0x0000000000560000-0x00000000005F3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/332-74-0x00000000022D0000-0x00000000025D3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/332-73-0x0000000000070000-0x000000000009E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/332-72-0x0000000000EA0000-0x0000000000EC2000-memory.dmp
        Filesize

        136KB

        Download
      • memory/332-70-0x0000000000000000-mapping.dmp
        Download
      • memory/540-61-0x00000000047E0000-0x00000000047E1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/540-62-0x00000000046C0000-0x000000000474A000-memory.dmp
        Filesize

        552KB

        Download
      • memory/540-63-0x0000000001EB0000-0x0000000001EE7000-memory.dmp
        Filesize

        220KB

        Download
      • memory/540-59-0x00000000002D0000-0x00000000002D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/640-71-0x0000000000000000-mapping.dmp
        Download
      • memory/1256-69-0x0000000006640000-0x000000000674B000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1256-76-0x0000000004070000-0x0000000004115000-memory.dmp
        Filesize

        660KB

        Download
      • memory/1692-67-0x0000000000800000-0x0000000000B03000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1692-68-0x00000000001D0000-0x00000000001E4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/1692-64-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1692-65-0x000000000041EB70-mapping.dmp
        Download