Overview

overview

10

Static

static

PO 0131.exe

windows7_x64

10

PO 0131.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    139s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    31-01-2022 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO 0131.exe

  • Size

    601KB

  • MD5

    eb437cbf64c34aebc51d6fd32ceec985

  • SHA1

    2a1d8901240f6079da9c6978aabb658d55114d12

  • SHA256

    3d4e25f876b2007b8b03a1d79109a52fcb5602644fb4554eb065f97853daa5de

  • SHA512

    af5a6a5c4479ac2a5dc6988d8a283ff022914347159440bb8f292fa426253cb6eefe67809701eb4996de4f92a85e933003796669523cd99500f5337e547d9d38

Score
10/10
formbookje16ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

je16

Decoy

antonavt.com

sdfvlog.xyz

xn--arbetslivsaktren-ywb.com

propelcolor.com

uniqueclsssiccars.com

colorbells.com

synjive.com

cloudymellows.com

walltage.com

qterps.com

kezorup.online

soakedindelight.online

thefirstgroupscam.biz

miclanka.com

mwm-security.com

trinksaifenradiodocumentary.com

spineklinik.com

javacodecafe.com

groovyrelease-toknowtoday.info

ventadesillasymesas.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\PO 0131.exe
      "C:\Users\Admin\AppData\Local\Temp\PO 0131.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:964
      • C:\Users\Admin\AppData\Local\Temp\PO 0131.exe
        "C:\Users\Admin\AppData\Local\Temp\PO 0131.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:752
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PO 0131.exe"
        3⤵
        • Deletes itself
        PID:1152

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/752-67-0x00000000001D0000-0x00000000001E4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/752-63-0x0000000000870000-0x0000000000E03000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/752-59-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/752-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/752-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/752-66-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/752-64-0x0000000000180000-0x0000000000194000-memory.dmp
    Filesize

    80KB

    Download
  • memory/964-54-0x0000000000A60000-0x0000000000AFC000-memory.dmp
    Filesize

    624KB

    Download
  • memory/964-57-0x0000000000450000-0x00000000004C1000-memory.dmp
    Filesize

    452KB

    Download
  • memory/964-58-0x0000000004CB0000-0x0000000004D16000-memory.dmp
    Filesize

    408KB

    Download
  • memory/964-56-0x0000000000760000-0x0000000000774000-memory.dmp
    Filesize

    80KB

    Download
  • memory/964-55-0x0000000075601000-0x0000000075603000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1384-73-0x0000000004730000-0x000000000484E000-memory.dmp
    Filesize

    1.1MB

    Download
  • memory/1384-68-0x0000000007050000-0x00000000071BF000-memory.dmp
    Filesize

    1.4MB

    Download
  • memory/1384-65-0x0000000006940000-0x0000000006AC5000-memory.dmp
    Filesize

    1.5MB

    Download
  • memory/1652-69-0x0000000000800000-0x0000000000822000-memory.dmp
    Filesize

    136KB

    Download
  • memory/1652-70-0x0000000000190000-0x00000000001BF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1652-71-0x0000000002090000-0x0000000002393000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1652-72-0x0000000001DC0000-0x0000000001E53000-memory.dmp
    Filesize

    588KB

    Download