Overview

overview

10

Static

static

CMA-CGM_BO...ON.exe

windows7_x64

10

CMA-CGM_BO...ON.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    143s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    14-10-2021 14:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    CMA-CGM_BOOKING CONFIRMATION.exe

  • Size

    136KB

  • MD5

    8d8de7800608937b14d10bd67119606c

  • SHA1

    bc31409f73d7cae389fb0a7f6d43c4559cdf3b24

  • SHA256

    312a98e7e1ce67e997898b9fc725d99a2eb0ac2e9e6b1d316f9f5c99ed3a3223

  • SHA512

    92b5241333d0fe0cd303be979e226be5bd69b5656a733c5a867f5415923773561a584ff5ee15113b727299d11a94f474b624173a8c8b4807711644caa6a7d7d7

Score
10/10
formbookguloadernffdownloaderratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nff

C2

http://www.yellow-wink.com/nff/

Decoy

shinseikai.site

creditmystartup.com

howtovvbucks.com

betterfromthebeginning.com

oubacm.com

stonalogov.com

gentrypartyof8.com

cuesticksandsupplies.com

joelsavestheday.com

llanobnb.com

ecclogic.com

miempaque.com

cai23668.com

miscdr.net

twzhhq.com

bloomandbrewcafe.com

angcomleisure.com

mafeeboutique.com

300coin.club

brooksranchhomes.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Guloader,Cloudeye

    A shellcode based downloader first seen in 2020.

    downloaderguloader
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Checks QEMU agent file 2 TTPs 2 IoCs

    Checks presence of QEMU agent, possibly to detect virtualization.

  • Deletes itself 1 IoCs
  • Suspicious use of NtCreateThreadExHideFromDebugger 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1216
    • C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe
      "C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"
      2⤵
      • Checks QEMU agent file
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1296
      • C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe
        "C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"
        3⤵
        • Checks QEMU agent file
        • Suspicious use of NtCreateThreadExHideFromDebugger
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:316
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1064
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\CMA-CGM_BOOKING CONFIRMATION.exe"
        3⤵
        • Deletes itself
        PID:2028

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1
T1012

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/316-71-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/316-66-0x00000000001B0000-0x00000000002B0000-memory.dmp
    Filesize

    1024KB

    Download
  • memory/316-69-0x00000000770B0000-0x0000000077259000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/316-70-0x0000000077290000-0x0000000077410000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/316-74-0x000000001DFE0000-0x000000001E1A4000-memory.dmp
    Filesize

    1.8MB

    Download
  • memory/316-72-0x0000000000400000-0x000000000042E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/316-62-0x00000000004011A0-mapping.dmp
    Download
  • memory/316-63-0x0000000000400000-0x0000000000553000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/316-73-0x000000001E5B0000-0x000000001E8B3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1064-80-0x0000000000AC0000-0x0000000000DC3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1064-76-0x0000000000000000-mapping.dmp
    Download
  • memory/1064-81-0x0000000000890000-0x0000000000923000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1064-79-0x0000000000070000-0x000000000009E000-memory.dmp
    Filesize

    184KB

    Download
  • memory/1064-78-0x0000000000FA0000-0x0000000000FC2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1216-75-0x0000000007550000-0x00000000076F6000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1216-82-0x00000000080D0000-0x000000000825A000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1296-60-0x0000000075331000-0x0000000075333000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1296-54-0x0000000000220000-0x0000000000226000-memory.dmp
    Filesize

    24KB

    Download
  • memory/1296-58-0x00000000770B0000-0x0000000077259000-memory.dmp
    Filesize

    1.7MB

    Download
  • memory/1296-65-0x0000000077290000-0x0000000077410000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1296-59-0x0000000077290000-0x0000000077410000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1296-55-0x0000000000220000-0x000000000022A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1296-56-0x00000000003D0000-0x00000000003E7000-memory.dmp
    Filesize

    92KB

    Download
  • memory/2028-77-0x0000000000000000-mapping.dmp
    Download