Overview

overview

10

Static

static

10

9.exe

windows7_x64

10

9.exe

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-en-20211104
  • submitted
    24-11-2021 15:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9.exe

  • Size

    188KB

  • MD5

    dac650b23c4aba94eaf5caaeead3319c

  • SHA1

    229458c66c9555a3d61ae980708357f093c5e6b8

  • SHA256

    bc8cabab3ec65da43b8c3e708ed9f9745757523041ef62e450b6fea48fae50e1

  • SHA512

    a6cdb8b8944686f87afb3763d37774d98b4f05ad7ee694490d67c4e00f007ffab33b02f006b0e782ee67be085b97183d0020181621d879c80463669efd407bb5

Score
10/10
formbookw6yaratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

w6ya

C2

http://www.truth-capturemachine.com/w6ya/

Decoy

auden-audio.com

zombieodyssey.com

hdpthg.com

toddtechnical.com

njsdgz.com

yieldfarm.world

guardsveirfynews.net

atmamandir.info

eskisehirtostcusu.online

arrozz.net

v99king.win

jaxonboxing.com

morganevans.net

syandeg.com

valleyofplants.com

corsosportorico.com

tak.support

blacktgpc.com

herdpetshop.com

iifkvhns.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 1 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 30 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\9.exe
      "C:\Users\Admin\AppData\Local\Temp\9.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1048
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1116
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\9.exe"
        3⤵
        • Deletes itself
        PID:1664

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1048-56-0x0000000000130000-0x0000000000144000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1048-55-0x0000000000950000-0x0000000000C53000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1116-58-0x0000000000000000-mapping.dmp
    Download
  • memory/1116-59-0x00000000000D0000-0x00000000000F2000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1116-60-0x0000000000070000-0x000000000009F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1116-61-0x0000000001F10000-0x0000000002213000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1116-63-0x0000000001E20000-0x0000000001EB3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1220-57-0x00000000063F0000-0x0000000006585000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1220-64-0x0000000006590000-0x0000000006704000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1664-62-0x0000000000000000-mapping.dmp
    Download