Overview

overview

10

Static

static

e87b10b098...3d.exe

windows7_x64

10

e87b10b098...3d.exe

windows10_x64

10

Analysis

  • max time kernel
    122s
  • max time network
    122s
  • submitted
    01-01-1970 00:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e87b10b098df8ff5906cb1154c78e83d.exe

  • Size

    596KB

  • MD5

    e87b10b098df8ff5906cb1154c78e83d

  • SHA1

    26417afefaabd707dae65d9fdd84178f4fb5e112

  • SHA256

    4e25735dc713c78458f181caa0f09a6ea2ca79a708a3b22f52d1c936806de251

  • SHA512

    87a959392f490e84346daffbbb3807a168b9c1ff4a4bdbf4b7e2e9db813377e1c9eb1a4be3b4cb7bd8eb011553d3367e818068d8af18c2e219543af7ca489e88

Score
10/10
formbookhs3hevasionratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

hs3h

C2

http://www.alefisrael.com/hs3h/

Decoy

slairt.com

teresasellsflorida.com

resouthcarolina.com

npccfbf.com

hutshed.com

westatesmarking.com

rustmonkeys.com

kagawa-rentacar.com

easyvoip-system.com

admorinsulation.com

ericaleighjensen.com

zhonghaojiaju.net

apple-iphone.xyz

b0t.info

torgetmc.xyz

lawrencemargarse.com

6123655.com

macdonalds-delivery.com

cvpfl.com

ayudaparaturent.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e87b10b098df8ff5906cb1154c78e83d.exe
    "C:\Users\Admin\AppData\Local\Temp\e87b10b098df8ff5906cb1154c78e83d.exe"
    1⤵
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1932
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DDGuFdDkUBuPOY" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8AF1.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:432
    • C:\Users\Admin\AppData\Local\Temp\e87b10b098df8ff5906cb1154c78e83d.exe
      "{path}"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      PID:1948

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Credential Access

Discovery

Query Registry

4
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

3
T1082

Peripheral Device Discovery

1
T1120

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tmp8AF1.tmp
    MD5

    ddba4099615a9c94e52e103543866eca

    SHA1

    86e030d23417380ef4dc5b089b3edfd8b80b3bf6

    SHA256

    fe5e7e85b8f3f417f29b699acdacb898dbbf6d36044085e889be68a5f86233a5

    SHA512

    5874eb99d1de2896ee87517a3ef139f8ebb8dd617b6646cf14a36bf79713328c5914e09b814eca069d86efb0071d7709d0e524bb71074b0312df8c69fcc98b46

    Download Submit
  • memory/432-63-0x0000000000000000-mapping.dmp
    Download
  • memory/1932-62-0x0000000005E00000-0x0000000005E31000-memory.dmp
    Filesize

    196KB

    Download
  • memory/1932-59-0x000000007EF40000-0x000000007EF41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-60-0x0000000001F40000-0x0000000001F4E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1932-61-0x0000000007D20000-0x0000000007DA2000-memory.dmp
    Filesize

    520KB

    Download
  • memory/1932-55-0x0000000000140000-0x0000000000141000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-58-0x0000000004E70000-0x0000000004E71000-memory.dmp
    Filesize

    4KB

    Download
  • memory/1932-57-0x0000000075901000-0x0000000075903000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1948-65-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1948-66-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1948-67-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1948-68-0x000000000041F1A0-mapping.dmp
    Download
  • memory/1948-69-0x0000000000A00000-0x0000000000D03000-memory.dmp
    Filesize

    3.0MB

    Download