Overview

overview

10

Static

static

c3f3bfc5d2...66.exe

windows7_x64

10

c3f3bfc5d2...66.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    05-05-2022 05:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c3f3bfc5d28585cfdd0ffe3ca9d27466.exe

  • Size

    214KB

  • MD5

    c3f3bfc5d28585cfdd0ffe3ca9d27466

  • SHA1

    19f998f85c9828804894c7819af8aa4371d6cc8b

  • SHA256

    e068472192705c282033d8a215d5ba5f63d9b80d339df9a419f7ab93bab042d5

  • SHA512

    a4c86eec133c079e96f50d96efe5bc3707abc05d784f0c85115291b4c15462ea77b3777e4013172c43de8b46f5935ae6f76eea336430dcf74fcd236a2b7fa3f5

Score
10/10
formbookfw02ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

fw02

Decoy

payer-breakers.com

thesiscoper.com

rental-villa.com

scovikinnovations.com

hydh33.com

allmyshit.rest

lovejaclyn.com

vanessaruizwriting.com

dufonddelaclasse.com

kiddee168.com

monumentalmarketsllc.com

musclegainfatloss.com

avida.info

cosmo-wellness.net

dandelionfusedigital.com

oversizeloadbanners.com

konstelle.store

sdjnsbd.com

czoqg.xyz

5p6xljjse1lq.xyz

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 3 IoCs
    rat
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 60 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2928
    • C:\Users\Admin\AppData\Local\Temp\c3f3bfc5d28585cfdd0ffe3ca9d27466.exe
      "C:\Users\Admin\AppData\Local\Temp\c3f3bfc5d28585cfdd0ffe3ca9d27466.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4352
      • C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe
        C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4488
        • C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe
          C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:4212
    • C:\Windows\SysWOW64\NETSTAT.EXE
      "C:\Windows\SysWOW64\NETSTAT.EXE"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3908
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe"
        3⤵
          PID:4912

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Command-Line Interface

    1
    T1059

    Persistence

    Privilege Escalation

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\9njqn5sr1lz95
      Filesize

      184KB

      MD5

      76728cebe3c85634b392acdf58d9a043

      SHA1

      cf0617e5500f46a091cb869be30818ef8d80fbe1

      SHA256

      772a30ddfa0091edfae7cde5df98f54c216e6d5ff2b2f3445534c6a8e8772388

      SHA512

      f10bb969f36151c092c2e02e30f4fe415ee6f886e6428ad761a490cb27d83d4d81111d6bfc3e21195fd33fdde7bb90abd747dd0a04c67b72b31629abd2ba0c52

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\wjwksbnnwa
      Filesize

      5KB

      MD5

      8c04bb0f0c3fe1cc05a308ae08abac0f

      SHA1

      d270c6109184a5efbe09dc82396c94e286d2398f

      SHA256

      0900abc4d2442f01c5ab74584bd3e24579065fab4e972753f0bf4169c20fbed5

      SHA512

      ac80dfa7bfdb3d26f6fe36c2bcca558edb10529ca77e886d9fd2b1252f8b0c26b78a43cc40cd89063a87aee353c50227af68606b5d22fe3cd0131e6372feae4b

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe
      Filesize

      5KB

      MD5

      4b4a3595274d34d2640e7b6fe210f3d6

      SHA1

      cb3d3d427b352a1f531f215889c2d47a1f9633e0

      SHA256

      ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a

      SHA512

      3e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe
      Filesize

      5KB

      MD5

      4b4a3595274d34d2640e7b6fe210f3d6

      SHA1

      cb3d3d427b352a1f531f215889c2d47a1f9633e0

      SHA256

      ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a

      SHA512

      3e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\yrwhoxwrej.exe
      Filesize

      5KB

      MD5

      4b4a3595274d34d2640e7b6fe210f3d6

      SHA1

      cb3d3d427b352a1f531f215889c2d47a1f9633e0

      SHA256

      ef321250451d28fd6b659dd6c1d7a7e7281cc27c1e13b59336d126f4d90ce55a

      SHA512

      3e2f2cc2da6fa2dc2d1d7516dcae80c95697bf7bb8893ba1157ceaa8b450cd9d745005f9e07afdbd1f4cd2ad2c8cb0505149445c7bab69140f08efd3ec207413

      Download Submit
    • memory/2928-151-0x0000000008590000-0x00000000086B5000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/2928-144-0x0000000008300000-0x00000000083F3000-memory.dmp
      Filesize

      972KB

      Download
    • memory/2928-141-0x00000000081A0000-0x00000000082F3000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/3908-150-0x0000000001580000-0x0000000001613000-memory.dmp
      Filesize

      588KB

      Download
    • memory/3908-149-0x0000000001730000-0x0000000001A7A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3908-148-0x0000000000DA0000-0x0000000000DCF000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3908-147-0x0000000000340000-0x000000000034B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/3908-145-0x0000000000000000-mapping.dmp
      Download
    • memory/4212-135-0x0000000000000000-mapping.dmp
      Download
    • memory/4212-143-0x0000000000960000-0x0000000000974000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4212-142-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4212-140-0x00000000008E0000-0x00000000008F4000-memory.dmp
      Filesize

      80KB

      Download
    • memory/4212-139-0x0000000000A20000-0x0000000000D6A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4212-136-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/4488-130-0x0000000000000000-mapping.dmp
      Download
    • memory/4912-146-0x0000000000000000-mapping.dmp
      Download