Overview

overview

10

Static

static

Irrazvdr.exe

windows7_x64

10

Irrazvdr.exe

windows10-2004_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    06-07-2022 13:29

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Irrazvdr.exe

  • Size

    54KB

  • MD5

    cedb27004e2fbaf88af7850aaf5133b0

  • SHA1

    1ea8386b3a52bb32ae24f41ba0ef4f912eada74c

  • SHA256

    2cbb67b48b3162ce44c224d9230d58a4263e71a50ca82673477d2e14f7ae2087

  • SHA512

    3dd1a35ab8d59db4b933190906e9d039459c8d7e39849819d6ba9ac214f57f826bf6ab3342f132971b104016779035704efb1dd5e000af1419e83a0060a79521

Score
10/10
formbookca27persistenceratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

ca27

Decoy

sefacoin.com

rightvisionsecuritysystems.com

jthousing1509.com

bj-sfxh.com

fansdy.com

waltit.com

kgaelhp.icu

latil.sa.com

ethmerger.com

theunimarkgroup.com

51anb.com

betsinatra.com

asd3wuh.icu

vinissimo3gwen.xyz

supernewshub.site

asfq4ev.icu

nftstoremarketing.com

blondefitgal.com

zmsoftware-co.com

beedotech.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 4 IoCs
    rat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3136
    • C:\Users\Admin\AppData\Local\Temp\Irrazvdr.exe
      "C:\Users\Admin\AppData\Local\Temp\Irrazvdr.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1472
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2764
    • C:\Windows\SysWOW64\mstsc.exe
      "C:\Windows\SysWOW64\mstsc.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1436
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:1380

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Privilege Escalation

    Defense Evasion

    Modify Registry

    1
    T1112

    Credential Access

    Discovery

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1380-143-0x0000000000000000-mapping.dmp
      Download
    • memory/1436-141-0x0000000000C70000-0x0000000000DAA000-memory.dmp
      Filesize

      1.2MB

      Download
    • memory/1436-147-0x0000000001200000-0x000000000122F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1436-145-0x0000000003000000-0x0000000003094000-memory.dmp
      Filesize

      592KB

      Download
    • memory/1436-144-0x00000000031B0000-0x00000000034FA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/1436-142-0x0000000001200000-0x000000000122F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1436-140-0x0000000000000000-mapping.dmp
      Download
    • memory/1472-131-0x0000000006540000-0x00000000065A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/1472-132-0x00000000067B0000-0x0000000006842000-memory.dmp
      Filesize

      584KB

      Download
    • memory/1472-130-0x0000000000F10000-0x0000000000F22000-memory.dmp
      Filesize

      72KB

      Download
    • memory/2764-134-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2764-138-0x0000000001940000-0x0000000001955000-memory.dmp
      Filesize

      84KB

      Download
    • memory/2764-137-0x0000000001990000-0x0000000001CDA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/2764-136-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2764-133-0x0000000000000000-mapping.dmp
      Download
    • memory/3136-139-0x0000000008660000-0x00000000087E5000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3136-146-0x00000000031C0000-0x00000000032A0000-memory.dmp
      Filesize

      896KB

      Download
    • memory/3136-148-0x00000000031C0000-0x00000000032A0000-memory.dmp
      Filesize

      896KB

      Download