Overview

overview

10

Static

static

#6495PI-29...20.exe

windows7_x64

10

#6495PI-29...20.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    178s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    #6495PI-29458-2020.exe

  • Size

    919KB

  • MD5

    020c3201638570f2858099e3e522a9a0

  • SHA1

    c3977925522b50fc59c2d2e1e014e24052d36fce

  • SHA256

    24e635e80cecd03066225b27fdb524c4542586b22dc820e05f8a02072008c674

  • SHA512

    11455186a0f8d4ad74de60cb4fa2acf399c8c39887ef979fa5b3d2568b530bc5d8c91c70dd3a7621df9e37ba3b1360fe38201146ed39dc185b03656a2ff8e173

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.nouolive.com/wt5i/

Decoy

mydreamct.com

vadicore.com

choicemango.com

projectsolutionspro.com

ncg.xyz

goio.digital

ee-secure-account.com

criminalstudy.com

fsjuanzhi.com

pont-travaux-public.com

agencepartenaire.com

jlsyzm.com

prosselius.com

woodendgroups.com

thereproducts.site

sigmagrupo.net

chelseagracia.com

fusosstore.com

chrissypips.trade

mvlxplcswa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 27 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\#6495PI-29458-2020.exe
      "C:\Users\Admin\AppData\Local\Temp\#6495PI-29458-2020.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1140
      • C:\Users\Admin\AppData\Local\Temp\#6495PI-29458-2020.exe
        "{path}"
        3⤵
          PID:740
        • C:\Users\Admin\AppData\Local\Temp\#6495PI-29458-2020.exe
          "{path}"
          3⤵
            PID:788
          • C:\Users\Admin\AppData\Local\Temp\#6495PI-29458-2020.exe
            "{path}"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:876
        • C:\Windows\SysWOW64\ipconfig.exe
          "C:\Windows\SysWOW64\ipconfig.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Gathers network information
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:608
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\#6495PI-29458-2020.exe"
            3⤵
            • Deletes itself
            PID:840

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/608-71-0x0000000000000000-mapping.dmp
        Download
      • memory/608-77-0x0000000000750000-0x00000000007E3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/608-76-0x0000000002180000-0x0000000002483000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/608-75-0x0000000000080000-0x00000000000AE000-memory.dmp
        Filesize

        184KB

        Download
      • memory/608-74-0x0000000000D70000-0x0000000000D7A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/608-72-0x0000000075D41000-0x0000000075D43000-memory.dmp
        Filesize

        8KB

        Download
      • memory/840-73-0x0000000000000000-mapping.dmp
        Download
      • memory/876-69-0x00000000001D0000-0x00000000001E4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/876-68-0x0000000000A40000-0x0000000000D43000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/876-67-0x000000000041EB20-mapping.dmp
        Download
      • memory/876-66-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1140-59-0x00000000000C0000-0x00000000000C1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1140-65-0x0000000001F90000-0x0000000001FC0000-memory.dmp
        Filesize

        192KB

        Download
      • memory/1140-64-0x0000000005A10000-0x0000000005A8F000-memory.dmp
        Filesize

        508KB

        Download
      • memory/1140-63-0x0000000000670000-0x0000000000672000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1140-62-0x0000000004930000-0x0000000004931000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1140-61-0x0000000004300000-0x000000000435F000-memory.dmp
        Filesize

        380KB

        Download
      • memory/1220-70-0x0000000004FA0000-0x00000000050AC000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/1220-78-0x0000000004C00000-0x0000000004CBC000-memory.dmp
        Filesize

        752KB

        Download