Overview

overview

10

Static

static

PO KIPO000...22.exe

windows7-x64

10

PO KIPO000...22.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    153s
  • max time network
    178s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-11-2022 21:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    PO KIPO000903 KIND122822.exe

  • Size

    636KB

  • MD5

    3b61d04e555f74f42e22c71a5885ac71

  • SHA1

    9c774e98b87394627d311a552d8bde85d57b327c

  • SHA256

    ab2af768a15bf36f36de51389f4ee62cb0816779473a53716cee76734bda7538

  • SHA512

    f7363fa7857e791e6fd9320fba7c1d3927fd4c0aa6a7935a88ffabd747323f0e93d12a8f3c4be2625606e86c8f612e4271ef9ee41848d3bf2a8bdc4fed328f70

  • SSDEEP

    12288:yucKpbKbf92TXwpL3sMcIobFB5BD8tVvkwkrscPA3QR+:yF4bKOORcIoxBDr1P/

Score
10/10
formbookd94iratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

d94i

Decoy

drain-pipe-cleaning-74655.com

culligandiiy.com

lknja.shop

salon-atmosfera.ru

steamgeneratorboilers.com

drain-pipe-cleaning-30896.com

dinoton.fun

feed-v.com

aym-brum.co.uk

bxztil.xyz

infinite-transformation.com

caticmicro.com

abrahamgranda.com

cleaninggem.com

hi5279.com

jainsdigitalservices.com

cglsuperset.com

kephatonrx.com

babyhandmold.com

braceelet.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2696
    • C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
      "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:4772
      • C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
        "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
        3⤵
          PID:3748
        • C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe
          "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
          3⤵
          • Suspicious use of SetThreadContext
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: MapViewOfSection
          • Suspicious use of AdjustPrivilegeToken
          PID:3744
      • C:\Windows\SysWOW64\msdt.exe
        "C:\Windows\SysWOW64\msdt.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3332
        • C:\Windows\SysWOW64\cmd.exe
          /c del "C:\Users\Admin\AppData\Local\Temp\PO KIPO000903 KIND122822.exe"
          3⤵
            PID:1572

      Network

      MITRE ATT&CK Matrix

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1572-148-0x0000000000000000-mapping.dmp
        Download
      • memory/2696-144-0x0000000008610000-0x000000000875E000-memory.dmp
        Filesize

        1.3MB

        Download
      • memory/2696-152-0x0000000002E20000-0x0000000002F0A000-memory.dmp
        Filesize

        936KB

        Download
      • memory/3332-146-0x0000000000370000-0x00000000003C7000-memory.dmp
        Filesize

        348KB

        Download
      • memory/3332-147-0x0000000000BA0000-0x0000000000BCF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3332-145-0x0000000000000000-mapping.dmp
        Download
      • memory/3332-151-0x0000000002C50000-0x0000000002CE3000-memory.dmp
        Filesize

        588KB

        Download
      • memory/3332-150-0x0000000000BA0000-0x0000000000BCF000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3332-149-0x0000000002D30000-0x000000000307A000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3744-141-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3744-139-0x0000000000400000-0x000000000042F000-memory.dmp
        Filesize

        188KB

        Download
      • memory/3744-142-0x0000000001690000-0x00000000019DA000-memory.dmp
        Filesize

        3.3MB

        Download
      • memory/3744-143-0x00000000011E0000-0x00000000011F4000-memory.dmp
        Filesize

        80KB

        Download
      • memory/3744-138-0x0000000000000000-mapping.dmp
        Download
      • memory/3748-137-0x0000000000000000-mapping.dmp
        Download
      • memory/4772-135-0x0000000002740000-0x000000000274A000-memory.dmp
        Filesize

        40KB

        Download
      • memory/4772-134-0x0000000004AE0000-0x0000000004B72000-memory.dmp
        Filesize

        584KB

        Download
      • memory/4772-133-0x0000000005090000-0x0000000005634000-memory.dmp
        Filesize

        5.6MB

        Download
      • memory/4772-136-0x0000000008230000-0x00000000082CC000-memory.dmp
        Filesize

        624KB

        Download
      • memory/4772-132-0x0000000000040000-0x00000000000E6000-memory.dmp
        Filesize

        664KB

        Download