Overview

overview

10

Static

static

H4vBtZsi8xAKaMm.exe

windows7_x64

10

H4vBtZsi8xAKaMm.exe

windows10_x64

10

Analysis

  • max time kernel
    155s
  • max time network
    161s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    H4vBtZsi8xAKaMm.exe

  • Size

    1.2MB

  • MD5

    7eabab04e4a6fdd45238e32ed81e222c

  • SHA1

    e0e1dc469746f5e2e049ea4a93d9b09a9227b342

  • SHA256

    b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd

  • SHA512

    eeaa0f02a15a66b3363f94730ad3cf7c533a4bf303cfa0f53b21959a54dc0f65c50b1ac179aa5f992e3e17bbfaaa1b7393da3d1859ddd51932d36bdf0b7fa21b

Score
10/10
formbooku1p5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u1p5

Decoy

yannickrast.com

shitcoin.team

mysweetelissa.com

tpnfrgm2wrld.xyz

freeclothesonline.com

rhoads-music.com

tanglewoodrx.com

sharkeycustoms.com

bonin-island.com

apeutah.com

metacehennem.xyz

deutscheno1.com

e-gate-io.store

hometoto.xyz

jojomove.com

vzn2aai2qj.icu

couponcodes6.com

pbcgotv.com

metarealtyhome.com

geymall.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe
      "C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1332
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:852
    • C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\SysWOW64\cmstp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1804
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:1968

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/852-62-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/852-65-0x00000000007D0000-0x0000000000CA3000-memory.dmp
      Filesize

      4.8MB

      Download
    • memory/852-66-0x00000000001E0000-0x00000000001F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/852-63-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/852-61-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1224-73-0x00000000050E0000-0x00000000051C5000-memory.dmp
      Filesize

      916KB

      Download
    • memory/1224-67-0x0000000006710000-0x000000000682F000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1332-59-0x0000000005840000-0x00000000058C8000-memory.dmp
      Filesize

      544KB

      Download
    • memory/1332-60-0x00000000008B0000-0x00000000008E4000-memory.dmp
      Filesize

      208KB

      Download
    • memory/1332-55-0x0000000000900000-0x0000000000A44000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/1332-58-0x0000000000300000-0x000000000030A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/1332-57-0x0000000000490000-0x00000000005B3000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/1332-56-0x0000000075F91000-0x0000000075F93000-memory.dmp
      Filesize

      8KB

      Download
    • memory/1804-69-0x0000000000EE0000-0x0000000000EF8000-memory.dmp
      Filesize

      96KB

      Download
    • memory/1804-70-0x0000000000090000-0x00000000000BF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1804-71-0x0000000000A60000-0x0000000000D63000-memory.dmp
      Filesize

      3.0MB

      Download
    • memory/1804-72-0x0000000000880000-0x0000000000913000-memory.dmp
      Filesize

      588KB

      Download