Overview

overview

10

Static

static

PO48092172...df.exe

windows7_x64

10

PO48092172...df.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    29-10-2021 11:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO4809217226898789.pdf.exe

  • Size

    347KB

  • MD5

    e3d87c2d533796d8a78793bf4ef179ec

  • SHA1

    7855d161dc42e4a0936f71274c9142950fc542c8

  • SHA256

    f40c731716d135ea7e583819570a83d92e24c3dfb2a3b0ac375bd97774ffd689

  • SHA512

    b4af236df96ad68bac6cc0522de034083c5b49d295bff8c1c83223ba1d137dfae48601ec443f346c1f672846dd8f58124d6c076be85b736060e083ee12725812

Score
10/10
formbookgr1cratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

gr1c

C2

http://www.illusiontrick.com/gr1c/

Decoy

soakyourgrains.com

duwego.com

aenkdesign.com

bikabbziu.xyz

thesawyerlegacy.com

koreanmodelbj.xyz

exceed-standards.com

syirsve.com

sachisushimontreal.com

thegalwaykitchen.com

accarwash-hub.com

connectwithmentor.com

luftfundament.online

ibrahimkaracan.com

biggersinsurance.com

desellon.com

tvnewscloset.com

digital-dre.com

ingocg.com

fernanda-ortiz.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 54 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1588
    • C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe
      "C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2192
      • C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe
        "C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe"
        3⤵
          PID:3580
        • C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe
          "C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe"
          3⤵
            PID:3156
          • C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe
            "C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe"
            3⤵
              PID:4060
            • C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe
              "C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe"
              3⤵
              • Suspicious use of SetThreadContext
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: MapViewOfSection
              • Suspicious use of AdjustPrivilegeToken
              PID:3708
          • C:\Windows\SysWOW64\wscript.exe
            "C:\Windows\SysWOW64\wscript.exe"
            2⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:4092
            • C:\Windows\SysWOW64\cmd.exe
              /c del "C:\Users\Admin\AppData\Local\Temp\PO4809217226898789.pdf.exe"
              3⤵
                PID:1196

          Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1196-135-0x0000000000000000-mapping.dmp
            Download
          • memory/1588-130-0x0000000004FF0000-0x000000000519C000-memory.dmp
            Filesize

            1.7MB

            Download
          • memory/1588-137-0x00000000061B0000-0x0000000006332000-memory.dmp
            Filesize

            1.5MB

            Download
          • memory/2192-117-0x00000000058E0000-0x00000000058E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2192-118-0x00000000053E0000-0x00000000053E1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2192-119-0x0000000005370000-0x0000000005371000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2192-120-0x0000000005380000-0x0000000005381000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2192-121-0x0000000005620000-0x0000000005621000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2192-122-0x0000000005800000-0x0000000005807000-memory.dmp
            Filesize

            28KB

            Download
          • memory/2192-123-0x000000007EA80000-0x000000007EA81000-memory.dmp
            Filesize

            4KB

            Download
          • memory/2192-124-0x0000000007840000-0x0000000007890000-memory.dmp
            Filesize

            320KB

            Download
          • memory/2192-115-0x0000000000AF0000-0x0000000000AF1000-memory.dmp
            Filesize

            4KB

            Download
          • memory/3708-125-0x0000000000400000-0x000000000042F000-memory.dmp
            Filesize

            188KB

            Download
          • memory/3708-129-0x00000000019C0000-0x00000000019D4000-memory.dmp
            Filesize

            80KB

            Download
          • memory/3708-128-0x0000000001680000-0x00000000019A0000-memory.dmp
            Filesize

            3.1MB

            Download
          • memory/3708-126-0x000000000041F0B0-mapping.dmp
            Download
          • memory/4092-131-0x0000000000000000-mapping.dmp
            Download
          • memory/4092-132-0x0000000000030000-0x0000000000057000-memory.dmp
            Filesize

            156KB

            Download
          • memory/4092-133-0x00000000027C0000-0x00000000027EF000-memory.dmp
            Filesize

            188KB

            Download
          • memory/4092-134-0x00000000044F0000-0x0000000004810000-memory.dmp
            Filesize

            3.1MB

            Download
          • memory/4092-136-0x0000000004350000-0x00000000043E3000-memory.dmp
            Filesize

            588KB

            Download