Overview

overview

10

Static

static

Booking details.exe

windows7-x64

10

Booking details.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    136s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    15/09/2022, 17:11

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    Booking details.exe

  • Size

    1.2MB

  • MD5

    64d38a2ad50e4af64d28d9086e36c37d

  • SHA1

    11cbfad75d83639e5128c78bf256306751a71299

  • SHA256

    edb793d2433f2bcb4651c6576a8f47ff87d258dfaf5a5bf4194701e61f3a6910

  • SHA512

    aefe6cb3e9b8eb7707695b30ee610ef5ec41de50a8410cb3252de0f6eb4428d9edb9f64ea9c680327a87b90718e4f5b1307e6dac548026f67c7ff6c375f299b4

  • SSDEEP

    12288:f1I41hw4e/ehLrzZ3q469R5bfamxgHc/8mA3GQ9xklET7e0+GwFLJLevHyparGQ7:uL4LJFITamqHc/88Q9xklFG86H1GWv4

Score
10/10
formbookrsearatspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

rsea

Decoy

aylagrey.com

ketoodavoqslim.xyz

foyfoy.ltd

buymistnow.com

ownempire.net

cie-revolver.com

kedaimks.com

rockbettergear.com

luminousfadel.com

universalbumpkeys.com

enjoyablestopnshop.com

grandesfinanzas.com

professionmessaging.com

thtoughthenight.com

conservativesshop.com

jimihoodie.com

nhlove.net

agentsheila.com

tilemarkng.com

94ei6mgy.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 19 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1236
    • C:\Users\Admin\AppData\Local\Temp\Booking details.exe
      "C:\Users\Admin\AppData\Local\Temp\Booking details.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:780
      • C:\Users\Admin\AppData\Local\Temp\Booking details.exe
        "C:\Users\Admin\AppData\Local\Temp\Booking details.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
    • C:\Windows\SysWOW64\msiexec.exe
      "C:\Windows\SysWOW64\msiexec.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:952
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\Booking details.exe"
        3⤵
        • Deletes itself
        PID:912

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/780-54-0x0000000001290000-0x00000000013C2000-memory.dmp

          Filesize

          1.2MB

          Download

        • memory/780-55-0x0000000076321000-0x0000000076323000-memory.dmp

          Filesize

          8KB

          Download

        • memory/780-56-0x0000000000940000-0x000000000095A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/780-57-0x0000000000990000-0x000000000099C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/780-58-0x0000000005DF0000-0x0000000005E7E000-memory.dmp

          Filesize

          568KB

          Download

        • memory/780-59-0x00000000011E0000-0x0000000001214000-memory.dmp

          Filesize

          208KB

          Download

        • memory/952-76-0x0000000002460000-0x00000000024F3000-memory.dmp

          Filesize

          588KB

          Download

        • memory/952-74-0x0000000000090000-0x00000000000BF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/952-75-0x0000000002150000-0x0000000002453000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/952-73-0x0000000000420000-0x0000000000434000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1236-69-0x0000000006170000-0x00000000062BA000-memory.dmp

          Filesize

          1.3MB

          Download

        • memory/1236-77-0x00000000048D0000-0x00000000049EF000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1236-78-0x00000000048D0000-0x00000000049EF000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/2028-61-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2028-68-0x0000000000290000-0x00000000002A4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/2028-60-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2028-67-0x0000000000990000-0x0000000000C93000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/2028-66-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/2028-63-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download