Overview

overview

10

Static

static

URLScan

urlscan

http://allhomesreale...

windows10_x64

10

Resubmissions

27-07-2021 23:27

210727-arpx67lxba 10

15-07-2021 07:19

210715-jb7s4tmke2 10

Analysis

  • max time kernel
    150s
  • max time network
    147s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    27-07-2021 23:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://allhomesrealestate.com.au/secured/098348893498/0399298398/0099299232/009382983.exe

  • Sample

    210727-arpx67lxba

Score
10/10
formbookratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.hometowncashbuyersgroup.com/kkt/

Decoy

inspirafutebol.com

customgiftshouston.com

mycreativelending.com

psplaystore.com

newlivingsolutionshop.com

dechefamsterdam.com

servicingl0ans.com

atsdholdings.com

manifestarz.com

sequenceanalytica.com

gethealthcaresmart.com

theartofsurprises.com

pirateequitypatrick.com

alliance-ce.com

wingrushusa.com

funtimespheres.com

solevux.com

antimasathya.com

profitexcavator.com

lankeboxshop.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Downloads MZ/PE file
  • Executes dropped EXE 4 IoCs
  • Suspicious use of SetThreadContext 5 IoCs
  • Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
  • Modifies Internet Explorer settings 1 TTPs 51 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:8
    • C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://allhomesrealestate.com.au/secured/098348893498/0399298398/0099299232/009382983.exe
      2⤵
      • Modifies Internet Explorer Phishing Filter
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1528 CREDAT:82945 /prefetch:2
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:3420
      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
        "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe"
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:804
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe"
          4⤵
          • Executes dropped EXE
          PID:2732
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe"
          4⤵
          • Executes dropped EXE
          PID:3364
        • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
          "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3820
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe"
        3⤵
          PID:1312

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Modify Registry

    2
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      c3f544b1ccb3d30c4a4d641d42702778

      SHA1

      07c50009db6f83442fbc2764ba58dcbea6bcdc1a

      SHA256

      a7c6104402e1a41d0c9ae3b0a4f5943528314aa48edd72d576068ddc8389ab83

      SHA512

      3553c09e54c6420d81975612e0877d392fbd3ed9730e1a3a87d5e23ed3ca0c4770e8b60bd296baace7e6baec3c084756a687b1b3a959f06b5df41b664db22824

      Download Submit
    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
      MD5

      60605cc93867f7491ef0f369ec237b42

      SHA1

      02fccd053075ae5a5509df0f00e8211689712a8e

      SHA256

      da835b3da4a09033e326110542a3cbfe24b129666cf226d2476cf5eacc103ae4

      SHA512

      1d5a860c0d41726eb388eb6ed9fa98f71d7a050b4ebe3109858abde9d50d415924bdd3eacfa1fc368991af5cc6a1a05f16229b6093ca3020d062792ae3b8aee7

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
      MD5

      3a1e8abdfec737197e978f74cde369de

      SHA1

      548698503cb5c9dd49362d4b683571f4f272ae9e

      SHA256

      65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463

      SHA512

      874b91624793c264471cfa713070332dac7afb878777cc36736444368bf0e3d0217375d19c2b5d2172b0bd3244b16c9799fa124fb83d692b79982d5ec33d251e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
      MD5

      3a1e8abdfec737197e978f74cde369de

      SHA1

      548698503cb5c9dd49362d4b683571f4f272ae9e

      SHA256

      65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463

      SHA512

      874b91624793c264471cfa713070332dac7afb878777cc36736444368bf0e3d0217375d19c2b5d2172b0bd3244b16c9799fa124fb83d692b79982d5ec33d251e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
      MD5

      3a1e8abdfec737197e978f74cde369de

      SHA1

      548698503cb5c9dd49362d4b683571f4f272ae9e

      SHA256

      65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463

      SHA512

      874b91624793c264471cfa713070332dac7afb878777cc36736444368bf0e3d0217375d19c2b5d2172b0bd3244b16c9799fa124fb83d692b79982d5ec33d251e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe
      MD5

      3a1e8abdfec737197e978f74cde369de

      SHA1

      548698503cb5c9dd49362d4b683571f4f272ae9e

      SHA256

      65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463

      SHA512

      874b91624793c264471cfa713070332dac7afb878777cc36736444368bf0e3d0217375d19c2b5d2172b0bd3244b16c9799fa124fb83d692b79982d5ec33d251e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NPXJ0CH4\009382983.exe.blfrw0w.partial
      MD5

      3a1e8abdfec737197e978f74cde369de

      SHA1

      548698503cb5c9dd49362d4b683571f4f272ae9e

      SHA256

      65a0c46c6663e844e38abc9cb562b1b1e8866be3d1c3616960379693db717463

      SHA512

      874b91624793c264471cfa713070332dac7afb878777cc36736444368bf0e3d0217375d19c2b5d2172b0bd3244b16c9799fa124fb83d692b79982d5ec33d251e

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\MYBKKLKV.cookie
      MD5

      b6b0b3004f7b1a6a548787ef347c1b55

      SHA1

      f6c92aeaec0b3a5191c3a423916ceac54b07d4b5

      SHA256

      9df8396c225075109dedc10f8ed23a3eb7ccaf3e71a18937d4d79df29eac7ca7

      SHA512

      48b9c446df6e021c3ee632a570fc90ed0a2508acff7ceb845363631be0eece59c44929c4775db4ee24ba2ce192366828561f427cdcc5230fed8bd01a8c973d15

      Download Submit
    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\SU4OX5F7.cookie
      MD5

      5e21ec31f8145842e244889fcefda382

      SHA1

      66b35c3bb94f6027621d753691bdc4d7efcc2da2

      SHA256

      664bf62492838b00f8fbc109c42fb7eb53f8639e75800963e9849ba8f6bdcbba

      SHA512

      13753f5298bea330d99507cb5deac2a59f47052e5acabe370aabbeaea87693fb8254fcec013d579e07b5595ecc695b0b31a8edae0bbbb0cf640b1d6df1dd0d1c

      Download Submit
    • memory/8-142-0x0000000006350000-0x0000000006499000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/8-140-0x0000000005CD0000-0x0000000005E2C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/804-131-0x0000000007B00000-0x0000000007BAC000-memory.dmp
      Filesize

      688KB

      Download
    • memory/804-121-0x0000000000CC0000-0x0000000000CC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-128-0x0000000009CE0000-0x000000000BCDF000-memory.dmp
      Filesize

      32.0MB

      Download
    • memory/804-126-0x0000000005680000-0x0000000005681000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-125-0x0000000005740000-0x0000000005741000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-119-0x0000000000000000-mapping.dmp
      Download
    • memory/804-132-0x0000000008F60000-0x0000000008FD5000-memory.dmp
      Filesize

      468KB

      Download
    • memory/804-124-0x00000000056A0000-0x00000000056A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-123-0x0000000005BA0000-0x0000000005BA1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/804-127-0x00000000057F0000-0x00000000057F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1300-145-0x00000000009D0000-0x00000000009D7000-memory.dmp
      Filesize

      28KB

      Download
    • memory/1300-148-0x0000000002AE0000-0x0000000002B73000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1300-147-0x0000000002B80000-0x0000000002EA0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1300-146-0x00000000004A0000-0x00000000004CE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1300-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1312-144-0x0000000000000000-mapping.dmp
      Download
    • memory/1528-149-0x000001A1C0393000-0x000001A1C0396000-memory.dmp
      Filesize

      12KB

      Download
    • memory/1528-114-0x00007FFD5E530000-0x00007FFD5E59B000-memory.dmp
      Filesize

      428KB

      Download
    • memory/3420-115-0x0000000000000000-mapping.dmp
      Download
    • memory/3820-138-0x0000000001B30000-0x0000000001E50000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3820-141-0x00000000015B0000-0x000000000165E000-memory.dmp
      Filesize

      696KB

      Download
    • memory/3820-136-0x000000000041EBD0-mapping.dmp
      Download
    • memory/3820-139-0x0000000001560000-0x0000000001574000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3820-135-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download