Overview

overview

10

Static

static

10

2.exe

windows7_x64

10

2.exe

windows10_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 06:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2.exe

  • Size

    184KB

  • MD5

    57fc9c24357ac2cde150537ae8a42884

  • SHA1

    70fdc837d404f465f4af739d7415c24023f437ed

  • SHA256

    eab2de096cfe890da97a654fb7c14097b1c15242cca986d90811c5722c95b416

  • SHA512

    52e6f1d1a6aa7862de48add0b1f1a06d83b72efa5c8856256e3caf2110a457f42c45f54ba8a85776779e201bd12fc8176cd31c1bd8ab500b076096da89adee27

Score
10/10
formbookbc3sratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bc3s

C2

http://www.topei-products.com/bc3s/

Decoy

anna-ng.com

mariangelamata.com

szqnbl.com

nesherguitars.com

mysekrit.com

againbeautyviensui.xyz

appf.life

bilalsolution.com

technoratii.com

11restoran.com

birthingly.com

crystalcarrillo.com

cohenasset.info

bunchofdesign.com

highstreetmag.com

talentkerning.com

outdoor-glassesadvice.com

aliceeety.com

habbuhot.info

pao91.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2872
    • C:\Users\Admin\AppData\Local\Temp\2.exe
      "C:\Users\Admin\AppData\Local\Temp\2.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1892
    • C:\Windows\SysWOW64\control.exe
      "C:\Windows\SysWOW64\control.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3436
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\2.exe"
        3⤵
          PID:3572

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1892-116-0x0000000000C00000-0x0000000000CAE000-memory.dmp
      Filesize

      696KB

      Download
    • memory/1892-115-0x0000000000D40000-0x0000000000E8A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2872-117-0x0000000004AE0000-0x0000000004C4C000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2872-124-0x0000000004C50000-0x0000000004DD3000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3436-118-0x0000000000000000-mapping.dmp
      Download
    • memory/3436-120-0x0000000000340000-0x0000000000360000-memory.dmp
      Filesize

      128KB

      Download
    • memory/3436-121-0x00000000029D0000-0x00000000029FE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/3436-122-0x00000000045C0000-0x00000000048E0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3436-123-0x0000000004360000-0x00000000043F3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3572-119-0x0000000000000000-mapping.dmp
      Download