Overview
overview
10Static
static
1015becbaa36...1f.exe
windows7_x64
715becbaa36...1f.exe
windows10_x64
7Nuovo ordine .exe
windows7_x64
10Nuovo ordine .exe
windows10_x64
10189d5314ce...6e2b44
linux_amd64
189d5314ce...6e2b44
linux_mipsel
189d5314ce...6e2b44
linux_mips
18ccb7df2f...2a.exe
windows7_x64
1018ccb7df2f...2a.exe
windows10_x64
101b11ae98b8...4f.dll
windows7_x64
101b11ae98b8...4f.dll
windows10_x64
10204591aa6d...b8.exe
windows7_x64
10204591aa6d...b8.exe
windows10_x64
102c7540c6d0...ff.exe
windows7_x64
102c7540c6d0...ff.exe
windows10_x64
102cb4d62827...d9.dll
windows7_x64
102cb4d62827...d9.dll
windows10_x64
104fd784c26d...49.exe
windows7_x64
104fd784c26d...49.exe
windows10_x64
10553dc4c06c...5f.exe
windows7_x64
10553dc4c06c...5f.exe
windows10_x64
105afed1cccc...2d.dll
windows7_x64
105afed1cccc...2d.dll
windows10_x64
1062742e4698...10.exe
windows7_x64
1062742e4698...10.exe
windows10_x64
106707289e11...1b.exe
windows7_x64
106707289e11...1b.exe
windows10_x64
1069a43a40f0...e5.exe
windows7_x64
1069a43a40f0...e5.exe
windows10_x64
106ca42fe27f...b7.exe
windows7_x64
106ca42fe27f...b7.exe
windows10_x64
106db4bb653b...97.jar
windows7_x64
3Analysis
-
max time kernel
151s -
max time network
165s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
30-07-2021 15:25
Static task
static1
Behavioral task
behavioral1
Sample
15becbaa3657b788030771ccb6072e63f14728533aac9f1dcfe2cf89ebdac51f.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral2
Sample
15becbaa3657b788030771ccb6072e63f14728533aac9f1dcfe2cf89ebdac51f.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral3
Sample
Nuovo ordine .exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral4
Sample
Nuovo ordine .exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral5
Sample
189d5314ce773d4497cd2c8aacc99f939bbc32c188d9db8a09e12005ae6e2b44
Resource
ubuntu-amd64
linux_amd64
Behavioral task
behavioral6
Sample
189d5314ce773d4497cd2c8aacc99f939bbc32c188d9db8a09e12005ae6e2b44
Resource
debian9-mipsel
linux_mipsel
Behavioral task
behavioral7
Sample
189d5314ce773d4497cd2c8aacc99f939bbc32c188d9db8a09e12005ae6e2b44
Resource
debian9-mipsbe
linux_mips
Behavioral task
behavioral8
Sample
18ccb7df2f91787a9392bf60d2f7019c86af65584c8a9c4846dee62e3240912a.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral9
Sample
18ccb7df2f91787a9392bf60d2f7019c86af65584c8a9c4846dee62e3240912a.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral10
Sample
1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral11
Sample
1b11ae98b85bb0645abe36adcd852e6e84b51c6b5c811729f3c19f14f32d4e4f.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral12
Sample
204591aa6d44da7eef69d7ee3d32a9b4cb8e405a575fc3cbcf2d5e0217879cb8.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral13
Sample
204591aa6d44da7eef69d7ee3d32a9b4cb8e405a575fc3cbcf2d5e0217879cb8.exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral14
Sample
2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral15
Sample
2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral16
Sample
2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9.dll
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral17
Sample
2cb4d628278053eba42c82d58fb894c230451ffe70d519ff79c5f1cc76f32fd9.dll
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral18
Sample
4fd784c26daf0b1877d7ffd53710b7312d89c8af0f3e640c1584d238e7e68949.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral19
Sample
4fd784c26daf0b1877d7ffd53710b7312d89c8af0f3e640c1584d238e7e68949.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral20
Sample
553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral21
Sample
553dc4c06cd2a8a13eebb90e6c2a9e7fc09a81858d7233199f0f03d2051bfb5f.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral22
Sample
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d.dll
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral23
Sample
5afed1ccccb12db0f6da9f25c43d10b4e63995881b65526004cd6f6a390c792d.dll
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral24
Sample
62742e4698b352658390b6b4f5088ddebb673503d5a4151f19c2face25932210.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral25
Sample
62742e4698b352658390b6b4f5088ddebb673503d5a4151f19c2face25932210.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral26
Sample
6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe
Resource
win7v20210408
windows7_x64
Behavioral task
behavioral27
Sample
6707289e11e16158e605882cdd2ce2fc9574428dd0114c6d6246146cb6ba7b1b.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral28
Sample
69a43a40f02660c2065fe3b76861dab28cc292301c180f1eafbf6c3f7b57afe5.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral29
Sample
69a43a40f02660c2065fe3b76861dab28cc292301c180f1eafbf6c3f7b57afe5.exe
Resource
win10v20210408
windows10_x64
Behavioral task
behavioral30
Sample
6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe
Resource
win7v20210410
windows7_x64
Behavioral task
behavioral31
Sample
6ca42fe27fbffcc87eb0995f36e945d8e62e0c06ea606be6a32382eb557970b7.exe
Resource
win10v20210410
windows10_x64
Behavioral task
behavioral32
Sample
6db4bb653b7dc11b7cda176c18697d9b2a758b2e1de9b83e3804dce2fbc8ba97.jar
Resource
win7v20210410
windows7_x64
General
-
Target
2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe
-
Size
614KB
-
MD5
028bf5bc572cf06e10c315334c397649
-
SHA1
cf69c58a4e35b7290af44ec658edc3582655f84d
-
SHA256
2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff
-
SHA512
cda1ba7ed4e86e60bb83bc1c71ec51c57b5f676622c3daf067d3c04e176ff2709417bc0ec2fbade98f5140e077eacffc0e54cbf1415f2c7f45caac9ce20e929c
Malware Config
Extracted
formbook
4.1
http://www.prospertraining.info/ymmi/
terrapotencia.com
issytosou.net
samankapan.com
zzxitang.com
iapple-uk.com
robertcollinsrealtor.com
theweehero.com
jyotisagar.net
powerbi.fitness
nuoyilm.com
modelsara.com
langvietco.com
aplusroofer.com
isabelacalaca.com
bearhawk.one
exporaoverseas.com
box-appliance.com
walkingfishvod.com
onlyqna.com
feed-parser.com
elegantloungebyjvs.com
expoviviendavirtualgto.com
forgetsticks.com
bloodandteethartwork.com
tinytrailers4bigadventures.com
anal-liza.com
nakopisebe.com
han-chun.com
battybanter.com
resctub.com
biogenesisammendments.com
rajkotpostaldivision.com
akcharconsulting.com
khanmochicaocap.com
albareeparts.com
globalhomeopharma.com
globetrotter-blog.com
vdvozknj.icu
montecitobeachtown.com
staticker.com
vehicleheroes.com
marbellelingerie.com
relocanada.com
nigiwai-bangbuathong-sainoi.com
fuvies.com
ccd-creative.com
weiziyun.net
mylocal.pro
waterbabyisr.com
carmenschmidt.com
culturedlittlehumans.com
amorimcapital.com
1800articles.com
localbaajaar.com
tt-bid.com
suttonbankdc.com
ccacademyofmusic.com
gasteless.com
kamalaharrisfanclub.com
shenyingsuwu.com
edelweissestates.com
wiserfinances.com
freeaitrainingonline.com
xn--ftft-lzabbb.net
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
resource yara_rule behavioral15/memory/1508-115-0x0000000000000000-mapping.dmp formbook behavioral15/memory/1508-117-0x0000000010410000-0x000000001043E000-memory.dmp formbook behavioral15/memory/1332-124-0x0000000003060000-0x000000000308E000-memory.dmp formbook -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1508 set thread context of 3020 1508 logagent.exe 22 PID 1332 set thread context of 3020 1332 msdt.exe 22 -
Program crash 1 IoCs
pid pid_target Process procid_target 3800 660 WerFault.exe 34 -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 3800 WerFault.exe 1508 logagent.exe 1508 logagent.exe 1508 logagent.exe 1508 logagent.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe 1332 msdt.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3020 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
pid Process 1508 logagent.exe 1508 logagent.exe 1508 logagent.exe 1332 msdt.exe 1332 msdt.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeRestorePrivilege 3800 WerFault.exe Token: SeBackupPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 3800 WerFault.exe Token: SeDebugPrivilege 1508 logagent.exe Token: SeDebugPrivilege 1332 msdt.exe -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 3020 Explorer.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 660 wrote to memory of 1508 660 2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe 80 PID 660 wrote to memory of 1508 660 2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe 80 PID 660 wrote to memory of 1508 660 2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe 80 PID 660 wrote to memory of 1508 660 2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe 80 PID 660 wrote to memory of 1508 660 2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe 80 PID 660 wrote to memory of 1508 660 2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe 80 PID 3020 wrote to memory of 1332 3020 Explorer.EXE 81 PID 3020 wrote to memory of 1332 3020 Explorer.EXE 81 PID 3020 wrote to memory of 1332 3020 Explorer.EXE 81 PID 1332 wrote to memory of 312 1332 msdt.exe 82 PID 1332 wrote to memory of 312 1332 msdt.exe 82 PID 1332 wrote to memory of 312 1332 msdt.exe 82
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe"C:\Users\Admin\AppData\Local\Temp\2c7540c6d066510b73a1a5c668dc74ec6d0d3f0716bb3adb6cd83afdd07f35ff.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 660 -s 13123⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3800
-
-
C:\Windows\SysWOW64\logagent.exeC:\Windows\System32\logagent.exe3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:1508
-
-
-
C:\Windows\SysWOW64\msdt.exe"C:\Windows\SysWOW64\msdt.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\SysWOW64\logagent.exe"3⤵PID:312
-
-