Overview

overview

10

Static

static

Ministry o...in.exe

windows7_x64

10

Ministry o...in.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    14-10-2021 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Ministry of Health Kingdom of Bahrain.exe

  • Size

    358KB

  • MD5

    e1a110c51c33c12ee53679c40c954395

  • SHA1

    361ca3b8600138c93a6cb8728ddefd7bb1be53ef

  • SHA256

    ad4c2025f6a3741ba965e53a40e907b04dd1031c666e80d98afe6fd00c70239d

  • SHA512

    8572c6c49eca57c0a89523df94c73eb65617687c4e89045633eeafb05f2844f6c14df7ef0e61fa05a1cae39d5fa664d8e206c6cccadcacc03d749a9b0caefdfb

Score
10/10
formbookey5aratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ey5a

C2

http://www.puwuved.xyz/ey5a/

Decoy

lygptkl.com

winsentrade.com

bluprintliving.com

yumohealth.com

cherryadulttoys.com

gianttigar.com

maxhutmacher.net

autostokyocorp.com

calvaryload.com

stixxiepix.com

j98152.com

starsky666.xyz

loadkicks.com

designauraspace.com

wwwfmcna.com

mikakonaitopsychologist.com

kristalsuaritma.com

kh180.com

kulturel.net

araveenapark.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe
      "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe
        "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1468
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Ministry of Health Kingdom of Bahrain.exe"
        3⤵
          PID:408

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/408-134-0x0000000000000000-mapping.dmp
      Download
    • memory/924-130-0x0000000000000000-mapping.dmp
      Download
    • memory/924-135-0x0000000004B90000-0x0000000004C24000-memory.dmp
      Filesize

      592KB

      Download
    • memory/924-133-0x0000000004E00000-0x0000000005120000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/924-131-0x0000000000C10000-0x0000000000F0C000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/924-132-0x0000000000AD0000-0x0000000000AFF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1468-128-0x0000000001100000-0x0000000001115000-memory.dmp
      Filesize

      84KB

      Download
    • memory/1468-127-0x0000000001570000-0x0000000001890000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1468-124-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1468-125-0x000000000041F070-mapping.dmp
      Download
    • memory/2276-122-0x0000000008040000-0x0000000008041000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-115-0x0000000000EC0000-0x0000000000EC1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-123-0x00000000080E0000-0x0000000008130000-memory.dmp
      Filesize

      320KB

      Download
    • memory/2276-121-0x0000000007D10000-0x0000000007D15000-memory.dmp
      Filesize

      20KB

      Download
    • memory/2276-120-0x00000000056B0000-0x0000000005742000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2276-119-0x0000000005760000-0x0000000005761000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-118-0x0000000005790000-0x0000000005791000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2276-117-0x0000000005C90000-0x0000000005C91000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2872-129-0x0000000005AC0000-0x0000000005C14000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2872-136-0x0000000005C20000-0x0000000005D1C000-memory.dmp
      Filesize

      1008KB

      Download