Overview

overview

10

Static

static

1

USD54,884....4D.exe

windows7_x64

10

USD54,884....4D.exe

windows10_x64

10

Analysis

  • max time kernel
    117s
  • max time network
    138s
  • platform
    windows7_x64
  • resource
    win7-en-20210920
  • submitted
    26-10-2021 07:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    USD54,884.56_202110260056MT103_0034D.exe

  • Size

    267KB

  • MD5

    9eea5277e11627651e1628b7da56044d

  • SHA1

    b6b160d2d53f9b55e186b809654519bb095399d9

  • SHA256

    827b490e3a19a6c6e1fb7766e3a85957648c133fb6fb6a15cb48100dd8b06422

  • SHA512

    f2fc56a72ae74bf9cf1aee7cadf48c29ec0da1129c242bfd3cb54430820cfdb0068afac7f7c6bf96e2a4071b2abb2e3c2a0be840c40ffb689a869c73fad85498

Score
10/10
formbooknd1wratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

nd1w

C2

http://www.ahlongpteltd.com/nd1w/

Decoy

cartographieinterieure.store

de-tanautorisierung-6439.xyz

maxisezon.com

spottsalodio.xyz

thesocialguild.net

petemergencydoctor.com

czhtfmgj.com

incontrilocalimilano.com

132kingrd.com

clearviewsatellitesolutions.com

shopingmanplus.com

compuserviciosway.com

millportservicesltd.com

ticketinsurey.club

metro-club.com

aboutpoliticsofatom.com

brebawake.com

yurteam.com

dropadoo.com

wcsaroma2012.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Loads dropped DLL 1 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe
    "C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1616
    • C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe
      "C:\Users\Admin\AppData\Local\Temp\USD54,884.56_202110260056MT103_0034D.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1456

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\nsd2A9A.tmp\fruxxsvmla.dll
    MD5

    55a80bb1109eef5ba30afc1ad52da387

    SHA1

    9aea3e6b238981e039b063e58c76f640e72d337e

    SHA256

    2b427f70d70b913812e1b32851aa2e30dd0971e44af25766ccc8ecaa5cd2e119

    SHA512

    60383333103ecd0f07e515c79dd23abd4d315057e4b3cfef05c699f90b5f0a4f7b903dd3781523828baf2f92c5d87bdf12b516a60c774b83e8ef2ae6ee556a48

    Download Submit
  • memory/1456-56-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1456-57-0x000000000041F170-mapping.dmp
    Download
  • memory/1456-58-0x00000000008F0000-0x0000000000BF3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1616-54-0x0000000076B61000-0x0000000076B63000-memory.dmp
    Filesize

    8KB

    Download