Overview

overview

10

Static

static

tmp.exe

windows7-x64

10

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    151s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7-20220812-en
  • resource tags

    arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
  • submitted
    02-12-2022 03:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    880KB

  • MD5

    b334b3f51ba68fe25f487850ee9710ed

  • SHA1

    ea18a63daa9f0b55a96e70bf9e45838f48b56b92

  • SHA256

    8ad29501e45ec72a916eccc0b9d34e074dc9f9010c74d32d871d66d4c4351897

  • SHA512

    2c653f016428898c75ac85b891ad3b0c98fb80e0b46786773c2af95d0ad18fec13755d9f0ad316186f827ce04454738217789babeb8cd735af1c322fae091450

  • SSDEEP

    24576:8RiMfoGdmgFQCIdv/H5e7w7En1gSp4T79j:4QGdlehdH5e7w7EnOSCP

Score
10/10
formbookdv22ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

dv22

Decoy

ivk-muc.com

theplantgranny.net

efefefficient.buzz

car-deals-87506.com

yangcongzhibo.net

empiralventures.com

latexpillo.com

ferramentafivizzanese.shop

kx1553.com

timamollo.africa

paran6787.net

fabicilio.online

kreativnettchen.shop

manakamana.co.uk

andreapeverelli.shop

jianf.site

kmqan.xyz

aoshilang.com

dnsmctmu.com

pumpkinsmp.net

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook payload 4 IoCs
    rat
  • Deletes itself 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1272
    • C:\Users\Admin\AppData\Local\Temp\tmp.exe
      "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Users\Admin\AppData\Local\Temp\tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:1076
    • C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\SysWOW64\explorer.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
        3⤵
        • Deletes itself
        PID:1924

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1076-68-0x0000000000180000-0x0000000000194000-memory.dmp
    Filesize

    80KB

    Download
  • memory/1076-63-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1076-66-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1076-67-0x00000000009E0000-0x0000000000CE3000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1076-64-0x000000000041F140-mapping.dmp
    Download
  • memory/1076-61-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1076-60-0x0000000000400000-0x000000000042F000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1272-78-0x0000000004A90000-0x0000000004B3E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1272-80-0x0000000004A90000-0x0000000004B3E000-memory.dmp
    Filesize

    696KB

    Download
  • memory/1272-69-0x0000000006CB0000-0x0000000006E51000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1272-79-0x0000000006CB0000-0x0000000006E51000-memory.dmp
    Filesize

    1.6MB

    Download
  • memory/1520-57-0x00000000004B0000-0x00000000004BE000-memory.dmp
    Filesize

    56KB

    Download
  • memory/1520-58-0x00000000050C0000-0x0000000005130000-memory.dmp
    Filesize

    448KB

    Download
  • memory/1520-55-0x0000000074D61000-0x0000000074D63000-memory.dmp
    Filesize

    8KB

    Download
  • memory/1520-59-0x0000000004F70000-0x0000000004FA4000-memory.dmp
    Filesize

    208KB

    Download
  • memory/1520-54-0x0000000001150000-0x0000000001230000-memory.dmp
    Filesize

    896KB

    Download
  • memory/1520-56-0x00000000002F0000-0x0000000000306000-memory.dmp
    Filesize

    88KB

    Download
  • memory/1924-73-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-70-0x0000000000000000-mapping.dmp
    Download
  • memory/1988-76-0x0000000002440000-0x0000000002743000-memory.dmp
    Filesize

    3.0MB

    Download
  • memory/1988-77-0x00000000021C0000-0x0000000002253000-memory.dmp
    Filesize

    588KB

    Download
  • memory/1988-75-0x00000000000C0000-0x00000000000EF000-memory.dmp
    Filesize

    188KB

    Download
  • memory/1988-74-0x0000000000900000-0x0000000000B81000-memory.dmp
    Filesize

    2.5MB

    Download
  • memory/1988-72-0x0000000074851000-0x0000000074853000-memory.dmp
    Filesize

    8KB

    Download