Overview

overview

10

Static

static

tmp.exe

windows7_x64

10

tmp.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 07:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    536KB

  • MD5

    9e70e8a4f264cc5ef9c7cc2c0977ce7f

  • SHA1

    2fdade7cace270aacb774b1079c99f80110da9e1

  • SHA256

    712d9e2373914cd9231c6c55a5d919efa6df53194b2c06b03695501dde071760

  • SHA512

    278b3662e35ee839e197c218e22b32e3f9885b53004dbde163d3e86e91a6e6abbeff9afc4e444181c16b0e75d2b274639870bcafb7b43a9568c88116be66d0da

Score
10/10
formbookm56uratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

m56u

Decoy

tercantiq.com

fortvillechicken.net

spiritsandtheb.com

alliant-inc.biz

yh1902.com

xiaodewenhua.net

cityjobs.xyz

seniorlivingwisconsin.com

piadagrilla.com

truistfinancebank.online

nft-fashionlover.com

hangmandownload.com

chun888.xyz

lemonviral.com

getagrip.network

daniellepinnock.info

chiswickstudios.com

essayservicee.com

bharatpragatifoundation.com

800vn.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2896
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:3684
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2032
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1952
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
          PID:4460

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1952-140-0x0000000000000000-mapping.dmp
      Download
    • memory/1952-148-0x0000000000840000-0x000000000086F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1952-146-0x00000000029C0000-0x0000000002A53000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1952-145-0x0000000002B90000-0x0000000002EDA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1952-144-0x0000000000840000-0x000000000086F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1952-143-0x0000000000950000-0x0000000000977000-memory.dmp
      Filesize

      156KB

      Download
    • memory/2032-134-0x0000000000000000-mapping.dmp
      Download
    • memory/2032-138-0x0000000001580000-0x0000000001594000-memory.dmp
      Filesize

      80KB

      Download
    • memory/2032-137-0x00000000015A0000-0x00000000018EA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2032-141-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2032-135-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2896-139-0x00000000080D0000-0x0000000008251000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/2896-147-0x0000000008670000-0x00000000087DF000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/2896-149-0x0000000008670000-0x00000000087DF000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3684-130-0x0000000000950000-0x00000000009DA000-memory.dmp
      Filesize

      552KB

      Download
    • memory/3684-133-0x000000000B4E0000-0x000000000B57C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/3684-132-0x0000000007A00000-0x0000000007A92000-memory.dmp
      Filesize

      584KB

      Download
    • memory/3684-131-0x0000000007EC0000-0x0000000008464000-memory.dmp
      Filesize

      5.6MB

      Download
    • memory/4460-142-0x0000000000000000-mapping.dmp
      Download