Overview

overview

10

Static

static

Remittance...03.exe

windows7_x64

9

Remittance...03.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    132s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    28-07-2021 05:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Remittance_90523_03.exe

  • Size

    1.2MB

  • MD5

    4877999ea194338dfe6ad0b7c501afe8

  • SHA1

    41c912ac202c7b590450fd91e4f2ed6faa5b2aff

  • SHA256

    107f0cce39dcfa85508fd5d256fa0515b6e27f554628e2ca4400af9dc2a5dcae

  • SHA512

    e28520a7d7c5bcccb7309d51c2e5c67668e7c081cf15f133ad4345e1b46a92e652d435abe718c6df851ffa57f8e0355bcccf3cb8e4361bd10012723034e7a5bf

Score
10/10
formbookratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

C2

http://www.bitcoin-noticias.com/fw6/

Decoy

rashtriyasanghsewak.com

filestree.cloud

penoner.com

owliwant.com

elkincook.com

jhac16kaizencollection.com

shalomdentalavenue.com

hotelsbytheweek.com

cookwithchefcari.com

threattenterprises.com

sanookna.com

tlsbuilders.com

softandhardshop.com

ppr419.com

powertexinc.info

businessandhr.com

yiliao2020.com

eiman-pro.com

rhondarothrealtor.com

junk-service.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)
    suricata
  • CustAttr .NET packer 1 IoCs

    Detects CustAttr .NET packer in memory.

  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:2708
    • C:\Users\Admin\AppData\Local\Temp\Remittance_90523_03.exe
      "C:\Users\Admin\AppData\Local\Temp\Remittance_90523_03.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:568
      • C:\Users\Admin\AppData\Local\Temp\Remittance_90523_03.exe
        "C:\Users\Admin\AppData\Local\Temp\Remittance_90523_03.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2292
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1308
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Remittance_90523_03.exe"
        3⤵
          PID:1504

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/568-114-0x0000000000320000-0x0000000000321000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-116-0x0000000004D10000-0x0000000004D11000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-117-0x00000000052B0000-0x00000000052B1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-118-0x0000000004DB0000-0x0000000004DB1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-119-0x0000000002820000-0x0000000002821000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-120-0x0000000004F70000-0x0000000004F71000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-121-0x00000000028A0000-0x00000000028A1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/568-122-0x0000000002750000-0x000000000275B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/568-123-0x0000000005BF0000-0x0000000005C65000-memory.dmp
      Filesize

      468KB

      Download
    • memory/568-124-0x0000000005C70000-0x0000000005CA0000-memory.dmp
      Filesize

      192KB

      Download
    • memory/1308-130-0x0000000000000000-mapping.dmp
      Download
    • memory/1308-133-0x0000000000C10000-0x0000000000C3E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1308-132-0x00000000013D0000-0x00000000013F7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/1308-134-0x0000000004D50000-0x0000000005070000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1308-135-0x0000000004C50000-0x0000000004CE3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1504-131-0x0000000000000000-mapping.dmp
      Download
    • memory/2292-125-0x0000000000400000-0x000000000042E000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2292-127-0x0000000001570000-0x0000000001890000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2292-128-0x00000000014D0000-0x00000000014E4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2292-126-0x000000000041EBA0-mapping.dmp
      Download
    • memory/2708-129-0x00000000028C0000-0x0000000002983000-memory.dmp
      Filesize

      780KB

      Download
    • memory/2708-136-0x0000000002710000-0x00000000027B2000-memory.dmp
      Filesize

      648KB

      Download