Overview

overview

10

Static

static

PO#6275473...ng.exe

windows7_x64

10

PO#6275473...ng.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    10-05-2021 14:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO#6275473, Shipping.exe

  • Size

    665KB

  • MD5

    cb78b28dea109d0e11a05934e02cf9d8

  • SHA1

    caab11bc17589dc8d20805070d1e343d60192751

  • SHA256

    5f05f0816898db3798aaa6722cfbd0f625a0eac271b72d0b8c295fa056dff733

  • SHA512

    8b53f9c263efd1c2ef9011de1112deac3d15d7d31cdf4061f2cca19a4a713bca873d6f0ee0778d3a7eafbbe62a23e891dea8668164f2e9d20645f0aed3a8abaa

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.magnumopuspro.com/nyr/

Decoy

anemone-vintage.com

ironcitytools.com

joshandmatthew.com

breathtakingscenery.photos

karabakh-terror.com

micahelgall.com

entretiendesterrasses.com

mhgholdings.com

blewm.com

sidewalknotary.com

ytrs-elec.com

danhpham.com

ma21cle2henz.xyz

lotusforlease.com

shipleyphotoandfilm.com

bulktool.xyz

ouedzmala.com

yichengvpr.com

connectmygames.com

chjcsc.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 22 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2996
    • C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe
      "C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3652
      • C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe
        "C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe"
        3⤵
          PID:3372
        • C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe
          "C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:1096
      • C:\Windows\SysWOW64\mstsc.exe
        "C:\Windows\SysWOW64\mstsc.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2104
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\PO#6275473, Shipping.exe"
          3⤵
            PID:3860

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1096-124-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/1096-128-0x0000000001450000-0x0000000001464000-memory.dmp

        Filesize

        80KB

        Download

      • memory/1096-127-0x0000000001750000-0x0000000001A70000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/1096-125-0x000000000041EBA0-mapping.dmp

        Download

      • memory/2104-132-0x0000000002E90000-0x0000000002EBE000-memory.dmp

        Filesize

        184KB

        Download

      • memory/2104-135-0x0000000004610000-0x00000000046A3000-memory.dmp

        Filesize

        588KB

        Download

      • memory/2104-134-0x0000000004780000-0x0000000004AA0000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/2104-131-0x00000000001B0000-0x00000000004AC000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2104-130-0x0000000000000000-mapping.dmp

        Download

      • memory/2996-129-0x0000000005C50000-0x0000000005D62000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/2996-136-0x0000000005D70000-0x0000000005E92000-memory.dmp

        Filesize

        1.1MB

        Download

      • memory/3652-119-0x0000000005260000-0x000000000575E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/3652-116-0x0000000005760000-0x0000000005761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3652-117-0x0000000005300000-0x0000000005301000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3652-118-0x00000000053A0000-0x00000000053A1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3652-114-0x0000000000980000-0x0000000000981000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3652-120-0x0000000005260000-0x0000000005261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3652-123-0x0000000008590000-0x00000000085C8000-memory.dmp

        Filesize

        224KB

        Download

      • memory/3652-122-0x0000000001290000-0x000000000130F000-memory.dmp

        Filesize

        508KB

        Download

      • memory/3652-121-0x0000000005660000-0x0000000005664000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3860-133-0x0000000000000000-mapping.dmp

        Download