Overview

overview

10

Static

static

PO KIPO000...22.exe

windows7-x64

10

PO KIPO000...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    138s
  • max time network
    49s
  • platform
    windows7_x64
  • resource
    win7-20220901-en
  • resource tags

    arch:x64arch:x86image:win7-20220901-enlocale:en-usos:windows7-x64system
  • submitted
    28-11-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO KIPO000903 KIND122822.exe

  • Size

    636KB

  • MD5

    3b61d04e555f74f42e22c71a5885ac71

  • SHA1

    9c774e98b87394627d311a552d8bde85d57b327c

  • SHA256

    ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538

  • SHA512

    f7363fa7857e791e6fd9320fba7c1d3927fd4c0aa6a7935a88ffabd747323f0e93d12a8f3c4be2625606e86c8f612e4271ef9ee41848d3bf2a8bdc4fed328f70

  • SSDEEP

    12288:yucKpbKbf92TXwpL3sMcIobFB5BD8tVvkwkrscPA3QR+:yF4bKOORcIoxBDr1P/

Score
10/10
formbookd94iratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    PID:1400
    • C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
      "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
        "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:768

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/768-68-0x00000000002E0000-0x00000000002F4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/768-67-0x0000000000890000-0x0000000000B93000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/768-64-0x000000000041F160-mapping.dmp
    Download
  • memory/768-71-0x00000000003A0000-0x00000000003B4000-memory.dmp
    Filesize

    80KB

    Download
  • memory/768-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/768-66-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/768-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/768-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/768-73-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1048-55-0x00000000759F1000-0x00000000759F3000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1048-56-0x00000000004B0000-0x00000000004C6000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1048-59-0x0000000000650000-0x0000000000684000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1048-54-0x0000000000EE0000-0x0000000000F86000-memory.dmp
    Filesize

    664KB

    Download
  • memory/1048-58-0x0000000004EB0000-0x0000000004F20000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1048-57-0x0000000000500000-0x000000000050E000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1400-75-0x000007FE86870000-0x000007FE8687A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/1400-72-0x0000000007040000-0x0000000007180000-memory.dmp
    Filesize

    1.2MB

    Download
  • memory/1400-74-0x000007FEF6970000-0x000007FEF6AB3000-memory.dmp
    Filesize

    1.3MB

    Download
  • memory/1400-69-0x0000000006960000-0x0000000006AA2000-memory.dmp
    Filesize

    1.3MB

    Download