Overview

overview

10

Static

static

ZB_1997e758e3.exe

windows7-x64

10

ZB_1997e758e3.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    159s
  • max time network
    158s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220722-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220722-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-08-2022 15:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ZB_1997e758e3.exe

  • Size

    487KB

  • MD5

    25d40c676222d431691223ea256c5be0

  • SHA1

    844e84f81a6fcb00af333793bccdf960377dd7d0

  • SHA256

    76b075d9a92f124e01df0a2c3f86ea729666db05b813d499fb3ce6d2402f42d9

  • SHA512

    1e140f4427fd5989b28827169126445c2bf7a8059a3279fa419c9d8280998e1c005234d1a5c3bf87a79d527adf153ccf199e070a0ae9ab2bef62437d3fd76161

Score
10/10
formbookmh76ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

mh76

Decoy

healthgovcalottery.net

wenxinliao.com

rooterphd.com

bbobbo.one

american-mes-de-dezembro.xyz

mintager.com

thespecialtstore.com

wemakegreenhomes.com

occurandmental.xyz

fidelityrealtytitle.com

numerisat.asia

wearestallions.com

supxl.com

rajacumi.com

renaziv.online

blixtindustries.com

fjljq.com

exploretrivenicamping.com

authenticusspa.com

uucloud.press

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 39 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\ZB_1997e758e3.exe
      "C:\Users\Admin\AppData\Local\Temp\ZB_1997e758e3.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4888
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:3912
    • C:\Windows\SysWOW64\cscript.exe
      "C:\Windows\SysWOW64\cscript.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5108
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
        3⤵
          PID:4528

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/3036-139-0x0000000008890000-0x00000000089FB000-memory.dmp
      Filesize

      1.4MB

      Download
    • memory/3036-149-0x0000000008AF0000-0x0000000008C0C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3036-148-0x0000000008AF0000-0x0000000008C0C000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3912-141-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3912-135-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/3912-138-0x0000000000FD0000-0x0000000000FE5000-memory.dmp
      Filesize

      84KB

      Download
    • memory/3912-134-0x0000000000000000-mapping.dmp
      Download
    • memory/3912-137-0x00000000010A0000-0x00000000013EA000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/4528-144-0x0000000000000000-mapping.dmp
      Download
    • memory/4888-133-0x0000000005E40000-0x0000000005E62000-memory.dmp
      Filesize

      136KB

      Download
    • memory/4888-132-0x0000000000FB0000-0x0000000001030000-memory.dmp
      Filesize

      512KB

      Download
    • memory/5108-143-0x0000000001200000-0x000000000122F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5108-145-0x0000000003200000-0x000000000354A000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/5108-146-0x0000000001200000-0x000000000122F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/5108-147-0x00000000030A0000-0x0000000003134000-memory.dmp
      Filesize

      592KB

      Download
    • memory/5108-142-0x0000000000AC0000-0x0000000000AE7000-memory.dmp
      Filesize

      156KB

      Download
    • memory/5108-140-0x0000000000000000-mapping.dmp
      Download