Overview

overview

10

Static

static

10

order_list...ed.exe

windows7_x64

10

order_list...ed.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-en-20220112
  • submitted
    02-03-2022 15:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    order_list_attached.exe

  • Size

    184KB

  • MD5

    d183004c73c53fd2e1c50bce8cc40602

  • SHA1

    99fcacc46c4bc2bf0c066e37f7e88b23284ed8a9

  • SHA256

    10fc636b7474b2ea701bfda198e0625d430d51097665addbc8d7bf397e565855

  • SHA512

    e7c34484eb796d2d178da4c3078e89aeb41c4cb0d6af4a945f32667da4fbbf31093c9024eb5c51e1ba8600931c5ad6d68d98e908467d5073b46e932c7788ab8c

Score
10/10
formbook3nopratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

3nop

Decoy

videohm.com

panache-rose.com

alnooncars-kw.com

trueblue2u.com

brussels-cafe.com

ip2c.net

influenzerr.com

rbcoq.com

zzful.com

drainthe.com

sumaholesson.com

cursosaprovados.com

genotecinc.com

dbrulhart.com

theapiarystudios.com

kensyu-kan.com

dkku88.com

tikhyper.com

aztecnort.com

homebrim.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 1 IoCs
    rat
  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2404
    • C:\Users\Admin\AppData\Local\Temp\order_list_attached.exe
      "C:\Users\Admin\AppData\Local\Temp\order_list_attached.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      PID:1436
    • C:\Windows\SysWOW64\help.exe
      "C:\Windows\SysWOW64\help.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:844
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\order_list_attached.exe"
        3⤵
          PID:2828

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/844-134-0x0000000000480000-0x0000000000487000-memory.dmp
      Filesize

      28KB

      Download
    • memory/844-135-0x0000000002AA0000-0x0000000002ACE000-memory.dmp
      Filesize

      184KB

      Download
    • memory/844-136-0x0000000003140000-0x000000000348A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/844-137-0x0000000003030000-0x00000000030C3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1436-130-0x0000000000F00000-0x000000000124A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1436-131-0x00000000009AE000-0x00000000009AF000-memory.dmp
      Filesize

      4KB

      Download
    • memory/1436-132-0x00000000009C0000-0x00000000009D4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2404-133-0x0000000007B00000-0x0000000007C01000-memory.dmp
      Filesize

      1.0MB

      Download
    • memory/2404-138-0x0000000002B10000-0x0000000002BA7000-memory.dmp
      Filesize

      604KB

      Download