Overview

overview

10

Static

static

1

yutrre123.exe

windows7_x64

10

yutrre123.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    156s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    08-10-2021 15:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    yutrre123.exe

  • Size

    254KB

  • MD5

    7f0a0bc19a6da99c8ab7f8f77a1a6a59

  • SHA1

    0d961900905b134eca222792806e63bd7a43cfa3

  • SHA256

    f840ca48e6381b385534156b8245c39dee4d1c95e18569c91b5537ff2f20aa7d

  • SHA512

    59a7274d661cc22fff771a5e2c2eb6bf04fdf4caa9d70a034e15bbdc0b5071d3c769ab0967c705bc457c78e6a1d11f6b6f8a7a34282b48c0bdd6d3723e3485a4

Score
10/10
formbookrv9nratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rv9n

C2

http://www.cjspizza.net/rv9n/

Decoy

olivia-grace.show

zhuwww.com

keiretsu.xyz

olidnh.space

searuleansec.com

2fastrepair.com

brooklynmetalroof.com

scodol.com

novaprint.pro

the-loaner.com

nextroundscap.com

zbwlggs.com

internetautodealer.com

xn--tornrealestate-ekb.com

yunjiuhuo.com

skandinaviskakryptobanken.com

coxivarag.rest

ophthalmologylab.com

zzzzgjcdbqnn98.net

doeful.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\yutrre123.exe
      "C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:364
      • C:\Users\Admin\AppData\Local\Temp\yutrre123.exe
        "C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2608
    • C:\Windows\SysWOW64\autochk.exe
      "C:\Windows\SysWOW64\autochk.exe"
      2⤵
        PID:2952
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\SysWOW64\cscript.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:412
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\yutrre123.exe"
          3⤵
            PID:1264

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • \Users\Admin\AppData\Local\Temp\nsi99F5.tmp\ypobihvdj.dll
        MD5

        96b8ffe8342b813da5cf66f4f4d1707a

        SHA1

        f08b595fce697d76306698e19a6f1a2af5eeb57a

        SHA256

        f40e2eb315e7b80a03bf062eac98af2703912650d04a8ec77c56e51cc38d8171

        SHA512

        2b15b28c3956fa6495f5842bd96bb089ab986351fb90446b0efc17fe459f641c4fbdb6aed8e8d3649756865a159193d4dad8e95ac00bf41a8cd84d49ee9eddb2

        Download Submit
      • memory/412-124-0x0000000000000000-mapping.dmp
        Download
      • memory/412-129-0x0000000004E70000-0x0000000004F03000-memory.dmp
        Filesize

        588KB

        Download
      • memory/412-128-0x0000000005110000-0x0000000005430000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/412-127-0x0000000002FE0000-0x000000000300F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/412-126-0x0000000000FA0000-0x0000000000FC7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/1264-125-0x0000000000000000-mapping.dmp
        Download
      • memory/2608-118-0x0000000000AC0000-0x0000000000DE0000-memory.dmp
        Filesize

        3.1MB

        Download
      • memory/2608-122-0x0000000000A30000-0x0000000000A44000-memory.dmp
        Filesize

        80KB

        Download
      • memory/2608-121-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/2608-119-0x0000000000530000-0x000000000067A000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2608-116-0x000000000041F120-mapping.dmp
        Download
      • memory/2608-115-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3020-123-0x0000000005870000-0x00000000059F6000-memory.dmp
        Filesize

        1.5MB

        Download
      • memory/3020-120-0x0000000005760000-0x000000000586B000-memory.dmp
        Filesize

        1.0MB

        Download
      • memory/3020-130-0x0000000003090000-0x000000000314F000-memory.dmp
        Filesize

        764KB

        Download