Overview

overview

10

Static

static

Siparis on...82.exe

windows7_x64

10

Siparis on...82.exe

windows10_x64

10

Analysis

  • max time kernel
    151s
  • max time network
    146s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    14-10-2021 10:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Siparis onayi.09826272882.exe

  • Size

    777KB

  • MD5

    ec4945b27f81624b5293543cc03885e5

  • SHA1

    98702dd3ae9571c627615d6cb7137156381d1886

  • SHA256

    f86258665b68d70e83397ac4ef17598c552b994dd13f26b8208c4d40b8e94816

  • SHA512

    70156ed777e9650e4a37ce8794df62b7b08852e331edd798c388430abc33616cc2f608b0a8c92295d97f87be3d31297c6e921946841d967c7254a98d30cd57f8

Score
10/10
formbookbc3spersistenceratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc3s

C2

http://www.topei-products.com/bc3s/

Decoy

anna-ng.com

mariangelamata.com

szqnbl.com

nesherguitars.com

mysekrit.com

againbeautyviensui.xyz

appf.life

bilalsolution.com

technoratii.com

11restoran.com

birthingly.com

crystalcarrillo.com

cohenasset.info

bunchofdesign.com

highstreetmag.com

talentkerning.com

outdoor-glassesadvice.com

aliceeety.com

habbuhot.info

pao91.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Users\Admin\AppData\Local\Temp\Siparis onayi.09826272882.exe
      "C:\Users\Admin\AppData\Local\Temp\Siparis onayi.09826272882.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\SysWOW64\logagent.exe
        C:\Windows\System32\logagent.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2300
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:912
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\SysWOW64\logagent.exe"
        3⤵
          PID:3952

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/912-124-0x0000000000000000-mapping.dmp
      Download
    • memory/912-129-0x00000000049D0000-0x0000000004A63000-memory.dmp
      Filesize

      588KB

      Download
    • memory/912-128-0x0000000004B60000-0x0000000004E80000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/912-125-0x0000000000EC0000-0x0000000000EE7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/912-126-0x0000000000780000-0x00000000007AE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/1776-116-0x0000000000951000-0x0000000000965000-memory.dmp
      Filesize

      80KB

      Download
    • memory/1776-115-0x0000000000930000-0x0000000000931000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2300-118-0x0000000002DF0000-0x0000000002DF1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2300-122-0x0000000003380000-0x0000000003394000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2300-120-0x0000000072480000-0x00000000724AE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/2300-121-0x0000000004FB0000-0x00000000052D0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2300-117-0x0000000000000000-mapping.dmp
      Download
    • memory/3040-123-0x0000000006920000-0x0000000006A44000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3040-130-0x0000000007500000-0x000000000762F000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3952-127-0x0000000000000000-mapping.dmp
      Download