Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    141s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    06-07-2022 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    536KB

  • MD5

    9e70e8a4f264cc5ef9c7cc2c0977ce7f

  • SHA1

    2fdade7cace270aacb774b1079c99f80110da9e1

  • SHA256

    712d9e2373914cd9231c6c55a5d919efa6df53194b2c06b03695501dde071760

  • SHA512

    278b3662e35ee839e197c218e22b32e3f9885b53004dbde163d3e86e91a6e6abbeff9afc4e444181c16b0e75d2b274639870bcafb7b43a9568c88116be66d0da

Score
10/10
formbookm56uratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m56u

Decoy

tercantiq.com

fortvillechicken.net

spiritsandtheb.com

alliant-inc.biz

yh1902.com

xiaodewenhua.net

cityjobs.xyz

seniorlivingwisconsin.com

piadagrilla.com

truistfinancebank.online

nft-fashionlover.com

hangmandownload.com

chun888.xyz

lemonviral.com

getagrip.network

daniellepinnock.info

chiswickstudios.com

essayservicee.com

bharatpragatifoundation.com

800vn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 5 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 18 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1792
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:952
    • C:\Windows\SysWOW64\wlanext.exe
      "C:\Windows\SysWOW64\wlanext.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Deletes itself
        PID:1180

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/952-67-0x0000000000A00000-0x0000000000D03000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/952-69-0x0000000000150000-0x0000000000164000-memory.dmp
    Filesize

    80KB

    Download
  • memory/952-68-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/952-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/952-62-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/952-64-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/952-65-0x000000000041F140-mapping.dmp
    Download
  • memory/1180-72-0x0000000000000000-mapping.dmp
    Download
  • memory/1252-79-0x0000000005F90000-0x000000000608F000-memory.dmp
    Filesize

    1020KB

    Download
  • memory/1252-77-0x0000000005F90000-0x000000000608F000-memory.dmp
    Filesize

    1020KB

    Download
  • memory/1252-70-0x0000000004360000-0x0000000004439000-memory.dmp
    Filesize

    868KB

    Download
  • memory/1792-60-0x0000000000E50000-0x0000000000E84000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1792-54-0x0000000000FB0000-0x000000000103A000-memory.dmp
    Filesize

    552KB

    Download
  • memory/1792-59-0x0000000004710000-0x000000000477E000-memory.dmp
    Filesize

    440KB

    Download
  • memory/1792-58-0x0000000000640000-0x000000000064A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1792-57-0x0000000006FF5000-0x0000000007006000-memory.dmp
    Filesize

    68KB

    Download
  • memory/1792-56-0x00000000003B0000-0x00000000003C6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1792-55-0x0000000075451000-0x0000000075453000-memory.dmp
    Filesize

    8KB

    Download
  • memory/2044-71-0x0000000000000000-mapping.dmp
    Download
  • memory/2044-73-0x0000000000BD0000-0x0000000000BE6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/2044-74-0x0000000001FF0000-0x00000000022F3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/2044-75-0x00000000000D0000-0x00000000000FF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/2044-76-0x0000000000920000-0x00000000009B3000-memory.dmp
    Filesize

    588KB

    Download
  • memory/2044-78-0x00000000000D0000-0x00000000000FF000-memory.dmp
    Filesize

    188KB

    Download