Overview

overview

10

Static

static

sample and order.exe

windows7-x64

10

sample and order.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    147s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-10-2022 13:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    sample and order.exe

  • Size

    281KB

  • MD5

    7dbd6df3ec4fec51110e44dd2122d166

  • SHA1

    078d7b5f3453fcb85908cd9209a07766f613307f

  • SHA256

    cf7fc1a1f8101f89f4b4693b664e96f88febde65bc7c0b5f9dc19ce060c45c84

  • SHA512

    c17ff24eedc17ac985a894f10546761b08965cf5e4c0d7d94466546b8c723cb7140ed37a99be0af64d8abeb1d0092fd16b8e6efe96eecdcb7d62e56d8b9de3c1

  • SSDEEP

    6144:PDRYLF0WnhfA+UOx85VjsXov0Df+FyUzg:rR20Wnt3KsXo8DfCywg

Score
10/10
formbookhlpqratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

hlpq

Decoy

mldSsngjzTHzaBZba069RrUmJw==

f0b/EZNM9UFUVxE=

MDL3b5SzuL6PH/Kikfw=

OudWLtIWZJFGaA==

xXgtQAEmIRjnk2vd+TVnrkpcMA==

HNmBV2fv0mP2gxk=

faeiX5TDOI5ltFsZ

bP0KGLe8mXkxmVkO

VRZeZu3VJs1Q2mET

A9mQgvhLDCUYYg==

TvpiStz3fge+3ZpO73Vj

fBaaUHWI3y02WQXrUa5r

54L6DSGvfeO1tVb9e6sktVDY

yM0Iv3K6hwXriE3Nu+N2eB60w0VNNgo=

obVogUsv0CTETtGGNqAktVDY

zuyrKkdHKGP2gxk=

ZnYxy5BL3u+4qVgkuJufqg==

0P24HCo4h+iuJfKikfw=

gaVk/JEbvFmbJDqNk+s=

bTekCo8Z5gcepjtsjtmGzZ0=

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of SetThreadContext 3 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 62 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:2228
    • C:\Users\Admin\AppData\Local\Temp\sample and order.exe
      "C:\Users\Admin\AppData\Local\Temp\sample and order.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:400
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Regsvcs.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:5004
    • C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies Internet Explorer settings
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1136
      • C:\Program Files\Mozilla Firefox\Firefox.exe
        "C:\Program Files\Mozilla Firefox\Firefox.exe"
        3⤵
          PID:4372

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/400-132-0x0000000000A50000-0x0000000000A9A000-memory.dmp

      Filesize

      296KB

      Download

    • memory/1136-148-0x0000000000570000-0x000000000059D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1136-146-0x00000000024B0000-0x000000000253F000-memory.dmp

      Filesize

      572KB

      Download

    • memory/1136-145-0x0000000002690000-0x00000000029DA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/1136-144-0x0000000000570000-0x000000000059D000-memory.dmp

      Filesize

      180KB

      Download

    • memory/1136-143-0x0000000000140000-0x0000000000154000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2228-141-0x0000000002950000-0x0000000002A56000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/2228-147-0x0000000008320000-0x000000000845B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/2228-149-0x0000000008320000-0x000000000845B000-memory.dmp

      Filesize

      1.2MB

      Download

    • memory/5004-140-0x0000000000F90000-0x0000000000FA0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/5004-139-0x0000000001580000-0x00000000018CA000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/5004-138-0x0000000000401000-0x000000000042E000-memory.dmp

      Filesize

      180KB

      Download

    • memory/5004-137-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5004-136-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download

    • memory/5004-134-0x0000000000400000-0x000000000042E000-memory.dmp

      Filesize

      184KB

      Download