Overview

overview

10

Static

static

e__ample_at.exe

windows7_x64

10

Analysis

  • max time kernel
    302s
  • max time network
    313s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    19-10-2021 13:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e__ample_at.exe

  • Size

    696KB

  • MD5

    4b893ddd41f5546da9ab79b8f3e8487a

  • SHA1

    36b2dcb7e232ca1b6f5be4f480334fea7075acdb

  • SHA256

    10395ba8c32eeef47f5d79f9fe7bb15ed1f67f7941cade16604b09ed69fba6ab

  • SHA512

    d6e0e214db78df936c210a8b05ae3caddbf6a948d877abad78b6e803f88cd1402519156fd83f2ce4901fb8d13a4e8830a7dcfe327b2df85f98068ce5c7575714

Score
10/10
formbookbs2lratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

bs2l

C2

http://www.amazonsfinds.com/bs2l/

Decoy

file-anae.com

letsgosunderland.com

urgome.com

g5tet.xyz

myline2online.com

crafty-buck.com

uralpack.net

chinmeat.com

kursuskekipoh.com

justgantt.com

hqh.xyz

xiongege55.com

pokebrostogo.com

firststonemusic.com

bataviabento.com

comoditahandyshop.com

dayloniabeauty.com

ceeonec.com

scribblerhub.com

lindosueno.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 53 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 20 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 22 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1204
    • C:\Users\Admin\AppData\Local\Temp\e__ample_at.exe
      "C:\Users\Admin\AppData\Local\Temp\e__ample_at.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\tarbBoxln" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA2B5.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1732
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:932
    • C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" C:\Windows\system32\devmgmt.msc
      2⤵
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:1660
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1304
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        3⤵
          PID:1784
    • C:\Windows\SysWOW64\DllHost.exe
      C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
      1⤵
        PID:1156

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Scheduled Task

      1
      T1053

      Persistence

      Scheduled Task

      1
      T1053

      Privilege Escalation

      Scheduled Task

      1
      T1053

      Defense Evasion

      Credential Access

      Discovery

      System Information Discovery

      1
      T1082

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/932-68-0x000000000041EB40-mapping.dmp
        Download
      • memory/932-70-0x0000000000910000-0x0000000000C13000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/932-71-0x00000000001E0000-0x00000000001F4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/932-65-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/932-66-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/932-67-0x0000000000400000-0x000000000042E000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1060-56-0x00000000768C1000-0x00000000768C3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1060-57-0x0000000004D30000-0x0000000004D31000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1060-58-0x0000000000500000-0x0000000000507000-memory.dmp
        Filesize

        28KB

        Download
      • memory/1060-54-0x00000000008F0000-0x00000000008F1000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1060-62-0x0000000007ED0000-0x0000000007F34000-memory.dmp
        Filesize

        400KB

        Download
      • memory/1060-63-0x00000000008A0000-0x00000000008CF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/1204-72-0x0000000009160000-0x00000000092A1000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/1204-79-0x0000000003B30000-0x0000000003BCE000-memory.dmp
        Filesize

        632KB

        Download
      • memory/1304-73-0x0000000000000000-mapping.dmp
        Download
      • memory/1304-75-0x00000000001D0000-0x00000000001FE000-memory.dmp
        Filesize

        184KB

        Download
      • memory/1304-74-0x0000000001620000-0x000000000163B000-memory.dmp
        Filesize

        108KB

        Download
      • memory/1304-76-0x0000000000BA0000-0x0000000000EA3000-memory.dmp
        Filesize

        3.0MB

        Download
      • memory/1304-78-0x0000000000970000-0x0000000000A03000-memory.dmp
        Filesize

        588KB

        Download
      • memory/1660-61-0x0000000002170000-0x0000000002171000-memory.dmp
        Filesize

        4KB

        Download
      • memory/1660-60-0x000007FEFBFD1000-0x000007FEFBFD3000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1732-64-0x0000000000000000-mapping.dmp
        Download
      • memory/1784-77-0x0000000000000000-mapping.dmp
        Download