Overview

overview

10

Static

static

po456789__img.exe

windows7_x64

10

po456789__img.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 01:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    po456789__img.exe

  • Size

    403KB

  • MD5

    8205a489fc508497b86443d6253e294b

  • SHA1

    45e9e0b6dc9fce4583753e3cded6552844de0695

  • SHA256

    6f4b543bdd425e2cb35fcc06f79dfac486985ae0d84133c34e0fd01b3a2c22bb

  • SHA512

    b5099a16e8ad338574e6b5f5b57c0b160ff12fa75efbafe8e06dfa3de23611c54edddd9ef9e2fe30a424df733a93eafee452bdf7f5b344bb9629dff15353cd08

Score
10/10
formbookdujevasionpersistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

duj

Decoy

deapink.pink

tkmdz.com

nytzshicai.com

photos-identite-dijon.com

ekanun.net

xn--fiqy4bxl57l9sag6f6wb.ink

slivercat5.com

ai-ethics.net

510ns.com

inotherways.com

ridesharesettelment.com

zjxiangnong.com

aoraessentials.com

sheap-list.com

heshengqy.com

experts-comptables-paris-17.com

parissummerolympics2024.info

gtyx88.com

devopsonjob.com

vodacred.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Looks for VirtualBox Guest Additions in registry 2 TTPs
    evasion
  • Adds policy Run key to start application 2 TTPs 2 IoCs
    persistence
  • Looks for VMWare Tools registry key 2 TTPs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 3 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1384
    • C:\Users\Admin\AppData\Local\Temp\po456789__img.exe
      "C:\Users\Admin\AppData\Local\Temp\po456789__img.exe"
      2⤵
      • Checks BIOS information in registry
      • Maps connected drives based on registry
      • Suspicious use of SetThreadContext
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:776
      • C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:800
    • C:\Windows\SysWOW64\netsh.exe
      "C:\Windows\SysWOW64\netsh.exe"
      2⤵
      • Adds policy Run key to start application
      • Suspicious use of SetThreadContext
      • Drops file in Program Files directory
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2028
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v2.0.50727\MSBuild.exe"
        3⤵
          PID:320
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:2020

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logim.jpeg
        Filesize

        60KB

        MD5

        828b281dec20b73a32026010e2c0fcea

        SHA1

        c09baed7b91912355e3b51a27e38a7465f9177da

        SHA256

        47da73808920e76f3797a5a6cbdc7aa744ca321ae66d2e3ce0c95528aa2ac48c

        SHA512

        8f6887251fcfc4bd2a57275d7f1ceba5abc4ed891efa780c0dd54bad9611e7b3e8f4514cba96992eee1aeab28338ee1789211677d58da0eb643d6ef8b4ca1164

        Download Submit

      • C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logrf.ini
        Filesize

        40B

        MD5

        2f245469795b865bdd1b956c23d7893d

        SHA1

        6ad80b974d3808f5a20ea1e766c7d2f88b9e5895

        SHA256

        1662d01a2d47b875a34fc7a8cd92e78cb2ba7f34023c7fd2639cbb10b8d94361

        SHA512

        909f189846a5d2db208a5eb2e7cb3042c0f164caf437e2b1b6de608c0a70e4f3510b81b85753dbeec1e211e6a83e6ea8c96aff896e9b6e8ed42014473a54dc4f

        Download Submit

      • C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logri.ini
        Filesize

        40B

        MD5

        d63a82e5d81e02e399090af26db0b9cb

        SHA1

        91d0014c8f54743bba141fd60c9d963f869d76c9

        SHA256

        eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae

        SHA512

        38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

        Download Submit

      • C:\Users\Admin\AppData\Roaming\KN5OBP81\KN5logrv.ini
        Filesize

        40B

        MD5

        ba3b6bc807d4f76794c4b81b09bb9ba5

        SHA1

        24cb89501f0212ff3095ecc0aba97dd563718fb1

        SHA256

        6eebf968962745b2e9de2ca969af7c424916d4e3fe3cc0bb9b3d414abfce9507

        SHA512

        ecd07e601fc9e3cfc39addd7bd6f3d7f7ff3253afb40bf536e9eaac5a4c243e5ec40fbfd7b216cb0ea29f2517419601e335e33ba19dea4a46f65e38694d465bf

        Download Submit

      • memory/320-67-0x0000000000000000-mapping.dmp

        Download

      • memory/776-54-0x00000000753B1000-0x00000000753B3000-memory.dmp

        Filesize

        8KB

        Download

      • memory/776-55-0x0000000074460000-0x0000000074A0B000-memory.dmp

        Filesize

        5.7MB

        Download

      • memory/800-59-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/800-64-0x0000000000310000-0x0000000000324000-memory.dmp

        Filesize

        80KB

        Download

      • memory/800-63-0x0000000000850000-0x0000000000B53000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/800-62-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/800-60-0x000000000041E2E0-mapping.dmp

        Download

      • memory/800-57-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/800-56-0x0000000000400000-0x000000000042D000-memory.dmp

        Filesize

        180KB

        Download

      • memory/1384-65-0x0000000004BD0000-0x0000000004D5F000-memory.dmp

        Filesize

        1.6MB

        Download

      • memory/1384-72-0x0000000006A20000-0x0000000006B65000-memory.dmp

        Filesize

        1.3MB

        Download

      • memory/2028-66-0x0000000000000000-mapping.dmp

        Download

      • memory/2028-71-0x0000000001E70000-0x0000000001F03000-memory.dmp

        Filesize

        588KB

        Download

      • memory/2028-70-0x0000000002140000-0x0000000002443000-memory.dmp

        Filesize

        3.0MB

        Download

      • memory/2028-69-0x0000000000080000-0x00000000000AD000-memory.dmp

        Filesize

        180KB

        Download

      • memory/2028-68-0x0000000000A50000-0x0000000000A6B000-memory.dmp

        Filesize

        108KB

        Download