Overview

overview

10

Static

static

5

proformafaktura.exe

windows7_x64

7

proformafaktura.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220113
  • submitted
    21-02-2022 09:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    proformafaktura.exe

  • Size

    1.4MB

  • MD5

    b7f3fc76e71df26b2610742c6343da72

  • SHA1

    e8251404fa0acad1c0c5ddef1c17265e2952d3f2

  • SHA256

    ddb5440189f6a486cae5317df13fd6fa94129941e9aa8a0586bca4c5ed97fb54

  • SHA512

    fd94b2ba6e757cbb09cc01f5d5e7093e9ba131c4d3e5fa492b49a63a9040848e20e42ff982d4b344e5bd8f7037441ac6e5b8a98bceded13b07b5df193e0f1192

Score
10/10
formbookn7akratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

n7ak

Decoy

audereventur.com

huro14.com

wwwjinsha155.com

antiquevendor.com

samuraisoulfood.net

traffic4updates.download

hypersarv.com

rapport-happy-wedding.com

rokutechnosupport.online

allworljob.com

hanaleedossmann.com

kauai-marathon.com

bepbosch.com

kangen-international.com

zoneshopemenowz.com

belviderewrestling.com

ipllink.com

sellingforcreators.com

wwwswty6655.com

qtumboa.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 2 IoCs
    rat
  • Drops startup file 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Windows directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 59 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 10 IoCs
  • Suspicious use of FindShellTrayWindow 3 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:896
    • C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe
      "C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"
      2⤵
      • Drops startup file
      • Suspicious use of SetThreadContext
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:1532
      • C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe
        "C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"
        3⤵
          PID:1900
        • C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe
          "C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:2388
      • C:\Windows\SysWOW64\autofmt.exe
        "C:\Windows\SysWOW64\autofmt.exe"
        2⤵
          PID:1884
        • C:\Windows\SysWOW64\rundll32.exe
          "C:\Windows\SysWOW64\rundll32.exe"
          2⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2460
          • C:\Windows\SysWOW64\cmd.exe
            /c del "C:\Users\Admin\AppData\Local\Temp\proformafaktura.exe"
            3⤵
              PID:3324
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k netsvcs -p -s wuauserv
          1⤵
          • Drops file in Windows directory
          • Suspicious use of AdjustPrivilegeToken
          PID:3964

        Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/896-139-0x0000000008DA0000-0x0000000008F48000-memory.dmp
          Filesize

          1.7MB

          Download
        • memory/896-147-0x0000000008590000-0x000000000867A000-memory.dmp
          Filesize

          936KB

          Download
        • memory/1532-134-0x0000000000CC0000-0x0000000000CC3000-memory.dmp
          Filesize

          12KB

          Download
        • memory/1532-133-0x0000000000B30000-0x0000000000B5D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/2388-136-0x0000000001B60000-0x0000000001EAA000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2388-138-0x0000000002060000-0x0000000002074000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2388-137-0x000000000041E000-0x000000000041F000-memory.dmp
          Filesize

          4KB

          Download
        • memory/2388-135-0x0000000000400000-0x000000000042D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/2460-140-0x0000000000DF0000-0x0000000000E04000-memory.dmp
          Filesize

          80KB

          Download
        • memory/2460-141-0x0000000000870000-0x000000000089D000-memory.dmp
          Filesize

          180KB

          Download
        • memory/2460-142-0x0000000002910000-0x0000000002C5A000-memory.dmp
          Filesize

          3.3MB

          Download
        • memory/2460-146-0x0000000002720000-0x00000000027B3000-memory.dmp
          Filesize

          588KB

          Download
        • memory/3964-143-0x000001E4DEF20000-0x000001E4DEF30000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3964-144-0x000001E4DEF80000-0x000001E4DEF90000-memory.dmp
          Filesize

          64KB

          Download
        • memory/3964-145-0x000001E4E1630000-0x000001E4E1634000-memory.dmp
          Filesize

          16KB

          Download