Overview

overview

10

Static

static

H4vBtZsi8xAKaMm.exe

windows7_x64

10

H4vBtZsi8xAKaMm.exe

windows10_x64

10

Analysis

  • max time kernel
    153s
  • max time network
    140s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 14:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    H4vBtZsi8xAKaMm.exe

  • Size

    1.2MB

  • MD5

    7eabab04e4a6fdd45238e32ed81e222c

  • SHA1

    e0e1dc469746f5e2e049ea4a93d9b09a9227b342

  • SHA256

    b79d2d02fe777cfd64723ad9b3935b30c00cbc75614fcadbf867cce88df4a8fd

  • SHA512

    eeaa0f02a15a66b3363f94730ad3cf7c533a4bf303cfa0f53b21959a54dc0f65c50b1ac179aa5f992e3e17bbfaaa1b7393da3d1859ddd51932d36bdf0b7fa21b

Score
10/10
formbooku1p5ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

u1p5

Decoy

yannickrast.com

shitcoin.team

mysweetelissa.com

tpnfrgm2wrld.xyz

freeclothesonline.com

rhoads-music.com

tanglewoodrx.com

sharkeycustoms.com

bonin-island.com

apeutah.com

metacehennem.xyz

deutscheno1.com

e-gate-io.store

hometoto.xyz

jojomove.com

vzn2aai2qj.icu

couponcodes6.com

pbcgotv.com

metarealtyhome.com

geymall.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates system info in registry 2 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 41 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:3020
    • C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe
      "C:\Users\Admin\AppData\Local\Temp\H4vBtZsi8xAKaMm.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4344
        • C:\Windows\SysWOW64\chkdsk.exe
          "C:\Windows\SysWOW64\chkdsk.exe"
          4⤵
          • Suspicious use of SetThreadContext
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4504
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            5⤵
              PID:2684

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3020-129-0x0000000005F30000-0x00000000060D9000-memory.dmp
      Filesize

      1.7MB

      Download
    • memory/3020-132-0x0000000006480000-0x00000000065AE000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/3020-137-0x0000000002D80000-0x0000000002E64000-memory.dmp
      Filesize

      912KB

      Download
    • memory/3452-121-0x0000000004FA0000-0x000000000549E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3452-119-0x0000000004F10000-0x0000000004F1A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3452-120-0x0000000005190000-0x00000000051E6000-memory.dmp
      Filesize

      344KB

      Download
    • memory/3452-118-0x0000000004FA0000-0x0000000005032000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3452-122-0x0000000005170000-0x000000000517A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/3452-123-0x0000000007450000-0x00000000074D8000-memory.dmp
      Filesize

      544KB

      Download
    • memory/3452-124-0x00000000099C0000-0x00000000099F4000-memory.dmp
      Filesize

      208KB

      Download
    • memory/3452-115-0x00000000003E0000-0x0000000000524000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3452-117-0x00000000054A0000-0x000000000599E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3452-116-0x0000000004E30000-0x0000000004ECC000-memory.dmp
      Filesize

      624KB

      Download
    • memory/4344-125-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4344-130-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4344-131-0x0000000001180000-0x0000000001A40000-memory.dmp
      Filesize

      8.8MB

      Download
    • memory/4344-128-0x0000000001020000-0x000000000116A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/4344-127-0x00000000015C0000-0x00000000018E0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4504-134-0x0000000000C00000-0x0000000000C2F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4504-133-0x0000000000E90000-0x0000000000E9A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/4504-135-0x0000000005540000-0x0000000005860000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/4504-136-0x0000000005200000-0x000000000539A000-memory.dmp
      Filesize

      1.6MB

      Download