Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    173s
  • max time network
    182s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-11-2022 15:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    459KB

  • MD5

    7a51e6b13d6568f50f2bbf7650b09403

  • SHA1

    1f3f31636c54f1f021afc372fe7f97d74baaf942

  • SHA256

    3a26dd85c2956529f42c1622a093f7b817cbd4af7a474d75198df9e455ac753f

  • SHA512

    c0d4fbff3c1e31fa688a558340d850dcb637def55882dfe93620c8c92972757d10ffb1c9e99aa8c08a757d92989e898b4710550fbac7d8a14d777daf02c5c2db

  • SSDEEP

    12288:i/4TZ+87mkPFUy0fxws0fkrzza48I5pFhjGdiLyo7Qz+Y2wjVMJ2p:iby05ws0izza486lj8Ol7TY2wBMJ+

Score
10/10
formbookf4caratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Campaign

f4ca

Decoy

omFHB5ajfJi1UEIEV9XcoRw=

UBjJkmQPyprdhcFF/bdCWQ==

evGKkBUj1je+otcfpw==

KgvGVeOATSt3nug0BIOm2JvOQycB

Lv6o3K0r9aSjI0lr9fg1txw=

LH1jJb/HieQpsEdqWCQTvX2PmsDVIeg=

99dte0XauJfk6Xv+uQxJFgA1gMktBA==

21FkkGB9gMniDQw2ffu6

r4lKBM/q6TZwVZfS

F+14qHeVWi56KdQ=

BgWXRsVoICMvvQ==

I+EozFl0Uy56KdQ=

xoXCgEllKEbWfjFCCLo=

qo9G1lXvvGt5GkxrLQWw

ORNlYic0PJ2ip4geEFSv

Yj+GFpvFxy0uVYx1fLI/XQ==

XL+veIKPjOTe4fjvFs+n

D2JKVAfuakXCAyoEvw==

voWJU81tH56wvt/vImbCcgVd

dVEcwFrmb8bZ4vXvFs+n

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Suspicious use of SetThreadContext 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 50 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of WriteProcessMemory
    PID:1936
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1904
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
        3⤵
          PID:2796
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3656
      • C:\Windows\SysWOW64\control.exe
        "C:\Windows\SysWOW64\control.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies Internet Explorer settings
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2488
        • C:\Program Files\Mozilla Firefox\Firefox.exe
          "C:\Program Files\Mozilla Firefox\Firefox.exe"
          3⤵
            PID:4260

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1904-137-0x00007FFE7DFA0000-0x00007FFE7EA61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1904-133-0x00007FFE7DFA0000-0x00007FFE7EA61000-memory.dmp
        Filesize

        10.8MB

        Download
      • memory/1904-132-0x0000028573080000-0x00000285730F8000-memory.dmp
        Filesize

        480KB

        Download
      • memory/1936-143-0x0000000002680000-0x00000000027A9000-memory.dmp
        Filesize

        1.2MB

        Download
      • memory/1936-155-0x0000000007FD0000-0x0000000008098000-memory.dmp
        Filesize

        800KB

        Download
      • memory/1936-157-0x0000000007FD0000-0x0000000008098000-memory.dmp
        Filesize

        800KB

        Download
      • memory/1936-147-0x0000000007E30000-0x0000000007FCC000-memory.dmp
        Filesize

        1.6MB

        Download
      • memory/2488-156-0x0000000001030000-0x000000000105D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2488-154-0x0000000002D30000-0x0000000002DBF000-memory.dmp
        Filesize

        572KB

        Download
      • memory/2488-153-0x0000000002FD0000-0x000000000331A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/2488-151-0x0000000000CC0000-0x0000000000CE7000-memory.dmp
        Filesize

        156KB

        Download
      • memory/2488-152-0x0000000001030000-0x000000000105D000-memory.dmp
        Filesize

        180KB

        Download
      • memory/2488-148-0x0000000000000000-mapping.dmp
        Download
      • memory/3656-139-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3656-146-0x0000000000C00000-0x0000000000C10000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3656-149-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3656-150-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3656-145-0x0000000000401000-0x000000000042F000-memory.dmp
        Filesize

        184KB

        Download
      • memory/3656-144-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3656-142-0x00000000005F0000-0x0000000000600000-memory.dmp
        Filesize

        64KB

        Download
      • memory/3656-140-0x00000000010C0000-0x000000000140A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3656-138-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3656-135-0x00000000004012B0-mapping.dmp
        Download
      • memory/3656-134-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download