Overview

overview

10

Static

static

PIO298767890098.exe

windows7-x64

10

PIO298767890098.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    18/10/2022, 18:02

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    PIO298767890098.exe

  • Size

    613KB

  • MD5

    18a53e8426076b426f4ea1af0ebebc4f

  • SHA1

    b2ccd7190c03583d41e4b9f74e0fcc9c3b72d20e

  • SHA256

    3c35a04edd86465c4f752711854c9bc1a902395c647067b5e88c53895654906f

  • SHA512

    77b23336b822cd6680f78f6f7a704c674ae71d239d8f358a7bbdd7668ec6c9cb1a03e49b612d696da453f978e8423c81dd58f4ba71ff39a082dd3ad9b949a86f

  • SSDEEP

    12288:qLmHM28bxhvruH5XuwSl595n5HTFhiUxpBGefqwKZcFROidcea:hExhTcRSXn5HJ+eyFcFy

Score
10/10
formbookg47eratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

g47e

Decoy

73346.top

matureshift.shop

bohnergroup.com

snehq.store

7pijj.com

wineshopsonline.com

reactivecreditagric.mom

aganderson.net

1800302.vip

942565.com

phonetography.club

garansugar.com

pinetree.email

34245.top

thejoy.run

pointvirtualrx.com

pqz.info

paddleboards.shop

vvapro.info

8peakssustainablelab.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 6 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 23 IoCs
  • Suspicious behavior: MapViewOfSection 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\PIO298767890098.exe
      "C:\Users\Admin\AppData\Local\Temp\PIO298767890098.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1100
      • C:\Users\Admin\AppData\Local\Temp\PIO298767890098.exe
        "{path}"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1348
    • C:\Windows\SysWOW64\wininit.exe
      "C:\Windows\SysWOW64\wininit.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:924
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\PIO298767890098.exe"
        3⤵
        • Deletes itself
        PID:612

Network

        MITRE ATT&CK Matrix

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/924-80-0x0000000000080000-0x00000000000AF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/924-75-0x0000000002060000-0x0000000002363000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/924-77-0x0000000000080000-0x00000000000AF000-memory.dmp

          Filesize

          188KB

          Download

        • memory/924-74-0x0000000000C40000-0x0000000000C5A000-memory.dmp

          Filesize

          104KB

          Download

        • memory/924-78-0x0000000000A60000-0x0000000000AF3000-memory.dmp

          Filesize

          588KB

          Download

        • memory/1100-58-0x0000000000E80000-0x0000000000EB4000-memory.dmp

          Filesize

          208KB

          Download

        • memory/1100-54-0x0000000000EB0000-0x0000000000F50000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1100-57-0x0000000005A80000-0x0000000005B08000-memory.dmp

          Filesize

          544KB

          Download

        • memory/1100-56-0x00000000003D0000-0x00000000003F0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/1100-55-0x00000000763F1000-0x00000000763F3000-memory.dmp

          Filesize

          8KB

          Download

        • memory/1256-79-0x0000000007470000-0x0000000007586000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1256-81-0x0000000007470000-0x0000000007586000-memory.dmp

          Filesize

          1.1MB

          Download

        • memory/1256-68-0x0000000006A90000-0x0000000006BEA000-memory.dmp

          Filesize

          1.4MB

          Download

        • memory/1256-71-0x0000000006550000-0x0000000006635000-memory.dmp

          Filesize

          916KB

          Download

        • memory/1348-60-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1348-73-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1348-70-0x00000000003A0000-0x00000000003B4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1348-67-0x00000000002D0000-0x00000000002E4000-memory.dmp

          Filesize

          80KB

          Download

        • memory/1348-66-0x00000000008A0000-0x0000000000BA3000-memory.dmp

          Filesize

          3.0MB

          Download

        • memory/1348-65-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1348-62-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download

        • memory/1348-59-0x0000000000400000-0x000000000042F000-memory.dmp

          Filesize

          188KB

          Download