Overview

overview

10

Static

static

2bINu9BOqKtJHoo.exe

windows7_x64

1

2bINu9BOqKtJHoo.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    21-07-2021 15:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2bINu9BOqKtJHoo.exe

  • Size

    1.1MB

  • MD5

    b8b1a1e689be765aad3fe0f8d97199af

  • SHA1

    96b923aaa5b0d3e9974b4080298bb8a7bcfcf725

  • SHA256

    f0e734543c047d2ca1a76a4e47553e85d50c57ff9d3dfbd0e55806ff890fef38

  • SHA512

    1f64bbf0bed9cc5cd04da93a9da7346774a493f73171b87f1331da5d00dc970d054ccc73935e57341512bd7d8827c3c88319f4458c30f0d09a6b25c91f356f7c

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bulverderoofing.com/lt0h/

Decoy

originalindigofurniture.co.uk

fl6588.com

acecademy.com

yaerofinerindalnalising.com

mendilovic.online

rishenght.com

famlees.com

myhomeofficemarket.com

bouquetarabia.com

chrisbani.com

freebandslegally.com

hernandezinsurancegroup.net

slicedandfresh.com

apnathikanas.com

chadhatesyou.com

ansilsas.com

in3development.com

nitiren.net

peespn.com

valengz.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe
      "C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe
        "C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe"
        3⤵
          PID:3000
        • C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe
          "C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:996
      • C:\Windows\SysWOW64\netsh.exe
        "C:\Windows\SysWOW64\netsh.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3736
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\2bINu9BOqKtJHoo.exe"
          3⤵
            PID:3916

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/776-114-0x00000000007B0000-0x00000000007B1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/776-116-0x00000000051C0000-0x00000000051C1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/776-117-0x0000000005760000-0x0000000005761000-memory.dmp

        Filesize

        4KB

        Download

      • memory/776-118-0x0000000005260000-0x0000000005261000-memory.dmp

        Filesize

        4KB

        Download

      • memory/776-119-0x0000000005260000-0x000000000575E000-memory.dmp

        Filesize

        5.0MB

        Download

      • memory/776-120-0x0000000005190000-0x0000000005191000-memory.dmp

        Filesize

        4KB

        Download

      • memory/776-121-0x0000000005380000-0x0000000005381000-memory.dmp

        Filesize

        4KB

        Download

      • memory/776-122-0x0000000005530000-0x000000000554B000-memory.dmp

        Filesize

        108KB

        Download

      • memory/776-123-0x00000000088F0000-0x000000000896A000-memory.dmp

        Filesize

        488KB

        Download

      • memory/776-124-0x00000000089B0000-0x00000000089E5000-memory.dmp

        Filesize

        212KB

        Download

      • memory/996-125-0x0000000000400000-0x000000000042E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/996-126-0x000000000041EB60-mapping.dmp

        Download

      • memory/996-128-0x0000000000A60000-0x0000000000BAA000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/996-127-0x0000000001050000-0x0000000001370000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3020-129-0x0000000002420000-0x0000000002513000-memory.dmp

        Filesize

        972KB

        Download

      • memory/3020-136-0x0000000004A30000-0x0000000004B84000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/3736-130-0x0000000000000000-mapping.dmp

        Download

      • memory/3736-131-0x00000000016B0000-0x00000000016CE000-memory.dmp

        Filesize

        120KB

        Download

      • memory/3736-132-0x0000000000F20000-0x0000000000F4E000-memory.dmp

        Filesize

        184KB

        Download

      • memory/3736-133-0x0000000003A10000-0x0000000003D30000-memory.dmp

        Filesize

        3.1MB

        Download

      • memory/3736-135-0x0000000003800000-0x0000000003893000-memory.dmp

        Filesize

        588KB

        Download

      • memory/3916-134-0x0000000000000000-mapping.dmp

        Download