Overview

overview

10

Static

static

10

o.exe

windows7_x64

10

o.exe

windows10_x64

10

Analysis

  • max time kernel
    161s
  • max time network
    157s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    27-01-2022 13:38

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    o.exe

  • Size

    188KB

  • MD5

    5f625c29e0ab782363acad948b13374f

  • SHA1

    af2cb912c0d8c6eb43ade7940dbb56815d9c79a6

  • SHA256

    e38ab4998d2ec00aef052328a9a289a9a96ab45fb52a49b81a223068b0f5899c

  • SHA512

    ec409199c648bf6feec2eda0b00b959384a72942f7a3451a9e5a2889e7250b9595a765a0d4fc4cd2a8a2d8e9884d3bc4610cdc2d9cf538a945371f5a07cdabe5

Score
10/10
formbookje16ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je16

Decoy

antonavt.com

sdfvlog.xyz

xn--arbetslivsaktren-ywb.com

propelcolor.com

uniqueclsssiccars.com

colorbells.com

synjive.com

cloudymellows.com

walltage.com

qterps.com

kezorup.online

soakedindelight.online

thefirstgroupscam.biz

miclanka.com

mwm-security.com

trinksaifenradiodocumentary.com

spineklinik.com

javacodecafe.com

groovyrelease-toknowtoday.info

ventadesillasymesas.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 58 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Users\Admin\AppData\Local\Temp\o.exe
      "C:\Users\Admin\AppData\Local\Temp\o.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:2732
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3524
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\o.exe"
        3⤵
          PID:3888

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2732-115-0x0000000001070000-0x00000000011BA000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2732-116-0x00000000015E0000-0x00000000015F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/3032-117-0x00000000064A0000-0x00000000065E5000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3032-122-0x00000000065F0000-0x000000000670C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3524-119-0x0000000000BA0000-0x0000000000BCF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3524-118-0x0000000001300000-0x000000000130C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/3524-120-0x0000000004D10000-0x0000000005030000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/3524-121-0x00000000049E0000-0x0000000004B77000-memory.dmp
      Filesize

      1.6MB

      Download