Overview

overview

10

Static

static

ORDER_26.exe

windows7_x64

10

ORDER_26.exe

windows10_x64

10

Analysis

  • max time kernel
    157s
  • max time network
    153s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    26-01-2022 13:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER_26.exe

  • Size

    1007KB

  • MD5

    2a7891d958327a9c60b079ee3d487fd8

  • SHA1

    fd828cc4ac3c2e8dd0319b146c0886677543c5d3

  • SHA256

    0fcca302c4bcf8f490650685b46d1ea92edcb126aaf959c4b8ad0897511ee7d5

  • SHA512

    945e51519051fa89023cf74e3935ae1a2ab98d5f758529908829e7b604c9cff56dd38af4446558d97fa8f918601e19e5c9ddb736578969768ae69966f163290f

Score
10/10
formbookje16ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je16

Decoy

antonavt.com

sdfvlog.xyz

xn--arbetslivsaktren-ywb.com

propelcolor.com

uniqueclsssiccars.com

colorbells.com

synjive.com

cloudymellows.com

walltage.com

qterps.com

kezorup.online

soakedindelight.online

thefirstgroupscam.biz

miclanka.com

mwm-security.com

trinksaifenradiodocumentary.com

spineklinik.com

javacodecafe.com

groovyrelease-toknowtoday.info

ventadesillasymesas.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2364
    • C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe
      "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2604
      • C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe
        "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
        3⤵
          PID:1500
        • C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe
          "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
          3⤵
            PID:1328
          • C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe
            "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
            3⤵
            • Suspicious use of SetThreadContext
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            PID:3500
        • C:\Windows\SysWOW64\wscript.exe
          "C:\Windows\SysWOW64\wscript.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:380
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\ORDER_26.exe"
            3⤵
              PID:1144

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/380-131-0x0000000004480000-0x0000000004614000-memory.dmp
          Filesize

          1.6MB

          Download
        • memory/380-130-0x0000000004620000-0x0000000004940000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/380-128-0x0000000000AA0000-0x0000000000AC7000-memory.dmp
          Filesize

          156KB

          Download
        • memory/380-129-0x0000000000980000-0x00000000009AF000-memory.dmp
          Filesize

          188KB

          Download
        • memory/2364-127-0x00000000056E0000-0x00000000057EC000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2364-132-0x0000000000E50000-0x0000000000EF3000-memory.dmp
          Filesize

          652KB

          Download
        • memory/2604-119-0x0000000004DC0000-0x0000000004DCA000-memory.dmp
          Filesize

          40KB

          Download
        • memory/2604-122-0x00000000077C0000-0x000000000782A000-memory.dmp
          Filesize

          424KB

          Download
        • memory/2604-121-0x0000000007720000-0x00000000077BC000-memory.dmp
          Filesize

          624KB

          Download
        • memory/2604-120-0x0000000004FF0000-0x0000000004FFC000-memory.dmp
          Filesize

          48KB

          Download
        • memory/2604-115-0x0000000000470000-0x0000000000572000-memory.dmp
          Filesize

          1.0MB

          Download
        • memory/2604-118-0x0000000004DB0000-0x00000000052AE000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/2604-117-0x0000000004E50000-0x0000000004EE2000-memory.dmp
          Filesize

          584KB

          Download
        • memory/2604-116-0x00000000052B0000-0x00000000057AE000-memory.dmp
          Filesize

          5.0MB

          Download
        • memory/3500-123-0x0000000000400000-0x000000000042F000-memory.dmp
          Filesize

          188KB

          Download
        • memory/3500-125-0x00000000011D0000-0x00000000014F0000-memory.dmp
          Filesize

          3.1MB

          Download
        • memory/3500-126-0x0000000000EA0000-0x00000000011C2000-memory.dmp
          Filesize

          3.1MB

          Download